Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Issue in this.withCredentials attribute in Cross Origin Resource Sharing

We are implementing an AngularJS based application which uses a rest web service hosted in a different domain. The following script is used for CORS and it works perfectly on Chrome and FireFox. It has an issue in IE9 and Safari when authenticating. It seems the issue is with the withCredentials attribute in those browsers. Is there any other way that IE and Safari supports CORS?

<script type="text/javascript">
     XMLHttpRequest.prototype.realSend = XMLHttpRequest.prototype.send;
     XMLHttpRequest.prototype.send = function(vData) {
        this.withCredentials = true;
        this.realSend.apply(this, arguments);
     };
</script>
like image 875
Shanaka Avatar asked Oct 07 '13 09:10

Shanaka


People also ask

What is Cross-Origin Resource Sharing?

Cross-Origin Resource Sharing (CORS) Jump to: Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell a browser to let a web application running at one origin (domain) have permission to access selected resources from a server at a different origin.

What is the Origin header in a cross domain request?

When the browser sends a cross-domain request for a resource, it adds an “Origin” header to the request. The Origin header identifies the website where the request originated. Because the header is added by the browser, its contents can’t be modified by any scripts or application code that’s running in the browser.

Can we allow cross-origin calls for this service/resource?

Obviously, our browser is seeking some header that will tell that yes we can allow cross-origin calls for this service/resource. Here the resource is your backend/api. The browser seeks some header response ( ‘Access-Control-Allow-Origin’) from the service we are calling which is not present in our service.

What is a cross-origin HTTP request?

This type of action is called a cross-origin HTTP request. It is used to enable cross-site requests for XMLHttpRequest or FetchAPI calls (cross different origins), web fonts (@font from CSS), WebGL textures, and drawing frames using drawImage ().


1 Answers

According to the different scenarios we tried we could come up with following summary. Hope that would be useful.

  1. According to the browser specifications IE10+ and Safari 4+ versions supports XHR and withCredentials attribute.
  2. That can be used for CORS without any issue as in the above script.
  3. For other IE versions (9-) we need to use XDR.
  4. URL rewrite mod was not successful with the server side when it comes to HTTPS.

The solution was very simple. By default IE and Safari have disabled the 3rd party cookies. Since we use two different domains once a user enters the credentials to login, those browsers were unable to save that cookie. Because of that all other requests were unauthorized.

Steps for allowing 3rd party cookies

  • IE 10 - Internet Options > Privacy > Advanced > Third Party Cookies > Accept
  • Safari - Preferences > Privacy > Block Cookies > Never

Due to this problem we found that in AngularJS version 1.1.1+ they have made it easy by setting the ‘withCredentials’ value in ‘config’ module ( $httpProvider.defaults.withCredentials = true;)

like image 196
Shanaka Avatar answered Nov 14 '22 23:11

Shanaka