Fork me on GitHub
#re-frame
<
2021-06-29
>
tlonist13:06:29

Anybody using reframe with re-graph? how did you handle cors issue? especially about adding ‘withCredential: true’?

p-himik13:06:57

CORS is about your server, not your client.

p-himik13:06:45

You ask a server at to respond to a request from . A server can reject such a request based on its CORS policy.

tlonist13:06:22

as far as I know, request should be sent with with-credentials mode, and server responds with “Access-Control-Allow-Credentials true”. I’ve set the server to accept requests from any source, together with all of HTTP methods.

tlonist13:06:04

In the case of sending cookies in cross-origin situation.

p-himik13:06:03

Credentials are completely orthogonal to the CORS mechanism itself. But they can work together to allow you to get the resource you want. > request should be sent with with-credentials mode But only if the server requires credentials to access that resource. In case you know all that already - please ignore, I'm just nitpicking at the particular wording. Have you tried passing :http {:with-credentials? true ...} to ::re-graph/init?

p-himik13:06:33

Or, perhaps, :http {:impl {:with-credentials? true} ...}.

tlonist14:06:30

Thanks for clarification. I’ve been trying what you’ve just suggested.

p-himik14:06:28

Sorry, no clue then.

tlonist14:06:46

oh, the problem was not having added

:access-control-allow-credentials "true"
on the server side. FYI, I found https://stackoverflow.com/questions/56607272/re-graph-cors-error-with-remote-graphql-server and it seemed to work. thanks!

👍 2
Drew Verlee22:06:18

Cors is security enforced by the browser. When a browser app sends a cors request it's asking the browser to bypass that security by allowing requests to a server/origin where it wasn't served. The browser checks with the server (via the headers) before passing the data to our app. That's why the server needs to include the allowed origin header Credentials are in addition to cors "Access-Control-Allow-Credentials - HTTP | MDN" https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials

p-himik22:06:05

Ah, I stand corrected then, thanks! It's not the server that rejects a request, it's the browser.

Drew Verlee22:06:57

I think so, but i'm I wouldn't be surprised to find i'm wrong. The language around the topic is somewhat confusing because the goal (reducing security) isn't typically what you want to do and the means (browser enforced) isn't where things are typically done. We tend to think of our apps being in control of the browser, but thats not really true, or at least, thats how i understand it. It's an OS and were operating at level above root.

p-himik22:06:16

I just checked - you aren't wrong. :) And of course, I have read through the MDN page for CORS before, but seems like I have remembered it poorly.

Drew Verlee22:06:10

I claim to have at least 4 years of web development experence and everytime i run into this issue i have to go re-read it because there is always a thing. Last time, i got everything right but wasn't actually passing the headers in my app request because i didn't serialize to js. (i had switched from lambda island cljs fetch to vannilla js fetch) The browser responds back with a catch all security message that lead me to believe i was crazy.

👍 4