Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

CORS request failure with jQuery using withCredentials and client certificates

I can't figure out why this CORS request is failing to return data.

I'm using Catalyst MVC on the backend, Firefox 24.0 as a browser. jQuery 1.9.1. Please note the following:

  1. otherdomain.com requires a client certificate.
  2. hitting the resource directly returns expected data. (https://otherdomain.com/resource/1) returns proper data.

I have a simple page that tests the request:

<script type='text/javascript'>
                function get_data() {
                        console.log("running");
                        $.ajax({
                                url: "https://otherdomain.com/resource/1",
                                dataType: 'json',
                                type: 'GET',
                                xhrFields: {
                                        'withCredentials': true
                                },
                                crossDomain: true
                        }).success(function(data) {
                                console.log(data)
                                $('#output').html(data);
                        }).error(function(xhr, status, error) {
                                alert("error");
                                console.log(xhr);
                        });
                }

    $(document).ready(function() {
            get_data();
    });
    </script>

</script>

Here are my request headers:

GET /resource/1 HTTP/1.1
Host: otherdomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://mydomain.com/test.html
Origin: https://mydomain.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

Here are my response headers. (copy of view source from firebug console) I see on my catalyst debug output that the request is served as 200 OK and the content is sent.

HTTP/1.1 200 OK
Date: Mon, 28 Oct 2013 19:31:08 GMT
Server: HTTP::Server::PSGI
Vary: Content-Type
Content-Length: 653
Content-Type: application/json
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 1800
X-Catalyst: 5.90030
Via: 1.1 otherdomain.com

And the error is thrown from the ajax call:

readyState: 0
responseText: ""
status: 0
statusText: "error"

firebug shows the response body as empty from the request event though it's a 200 OK.

I thought that when using 'withCredentials' a pre-flight request was required but I don't see an OPTIONS being sent via firebug.

Also, i can see no Access-Control-Request-Header being added by my request, so I'm not returning any Access-Control-Allow-Headers from the server.

Now, the frontend of Catalyst is Apache2, and I'm using proxypass in a virtual host to send the request to catalyst on localhost:8080. I'm not sure if that has any bearing but thought it might be important. It should be transparent to the browser though.

Thanks for any help!

like image 705
mikew Avatar asked Oct 28 '13 20:10

mikew


1 Answers

  1. GET requests are not preflighted. See Here
  2. When responding to a credentialed request, server must specify a domain, and cannot use wild carding. (must not be Access-Control-Allow-Origin: *). See Here
like image 108
LostInComputer Avatar answered Oct 05 '22 23:10

LostInComputer