-
Notifications
You must be signed in to change notification settings - Fork 37
Allows CORS on PSA Document? #118
Comments
I ran into issue beakerbrowser#118 , here is a PR that I think will address the issue, for your consideration.
Opened PR #119 |
Hmm... is there any possible reason we wouldn't want to allow this? |
Paul, Is that a trick question? |
Eaaaasy man, I'm not trying to be a jerk. I couldn't remember off the top of my head whether CORS would send credentials from another origin or if there was any other security concern. You just dumped a PR on me and I think it's fair for me to ask. AFAICT the answer is no. Existing credentials (cookies) are never sent if we set allow to |
Ah, ok no worries I thought you might have wanted me to think deeper before asking for what I thought was needed. I'll look into the cookies and try to test it out first, it's just not my area of expertise. If we need to pass cookies, from what I understand we may need to add:
|
🍻 Appreciate it! If we have to set allow-credentials, we should make sure that doesn't allow credentials to get attached across origins. |
If it turns out we can't get cookies to be sent without breaking session-isolation of SOP, we should look into sending the Authorization header instead of using cookies. |
See, I'm glad I asked then. I only got so far as trying to get the PSA Document, for which no credentials are required. I'm sure I would have hit this wall once the PSA doc was fetched and tried to log in. I'll continue to pick away at it. |
For sure. I'm sorry my original response was short; tail end of the day. |
Anything I can do to help push this forward? 😁 |
Oh yeah @RangerMauve ! Do you have a pinning server up? I've been trying to bring one up to test this, but I've been running into challenges so far. |
A pinning server with the proper CORS headers? I can set one up for you tomorrow. 😁 I'll just expose my dat-store instance on Digital Ocean and see if that works. |
Oh, I thought if we were going to edit the hashbase code, we would need an instance of hashbase up and running? Although, in looking at dat-store, that seems pretty straightforward. Is it really as easy as |
Oh, k. I'll see what I can do there. Hashbase requires a bunch more config, so that might take more time, but I think I can figure it out. 😁 dat-store should behave the same as an unauthenticated hashbase. |
Bleh. While getting the CORS stuff into dat store I got some sort of error with folder sync. 😭 Hopefully I'll have something this evening. |
of course it's a Windows problem. 😭 |
K, lost most of my day to fixing some weird bugs in dat-store. I'll need to figure out setting up a CORS enabled store tomorrow instead. 😅 |
@pfrazee I am trying to use beakerbrowser/dat-pinning-service-client to access hashbase.io/.well-known/psa from a non-beaker origin domain, but I am getting the error:
I see #43 allowed CORS, but what about the PSA Document?
Has this issue already been addressed elsewhere or do we need a fix?
The text was updated successfully, but these errors were encountered: