Oliver George 2021-06-29T00:53:02.244200Z

Thanks for this.


Anybody using reframe with re-graph? how did you handle cors issue? especially about adding ‘withCredential: true’?


Cors is security enforced by the browser. When a browser app sends a cors request it's asking the browser to bypass that security by allowing requests to a server/origin where it wasn't served. The browser checks with the server (via the headers) before passing the data to our app. That's why the server needs to include the allowed origin header Credentials are in addition to cors "Access-Control-Allow-Credentials - HTTP | MDN"

p-himik 2021-06-30T22:32:05.248600Z

Ah, I stand corrected then, thanks! It's not the server that rejects a request, it's the browser.


I think so, but i'm I wouldn't be surprised to find i'm wrong. The language around the topic is somewhat confusing because the goal (reducing security) isn't typically what you want to do and the means (browser enforced) isn't where things are typically done. We tend to think of our apps being in control of the browser, but thats not really true, or at least, thats how i understand it. It's an OS and were operating at level above root.

p-himik 2021-06-30T22:41:16.249200Z

I just checked - you aren't wrong. :) And of course, I have read through the MDN page for CORS before, but seems like I have remembered it poorly.


I claim to have at least 4 years of web development experence and everytime i run into this issue i have to go re-read it because there is always a thing. Last time, i got everything right but wasn't actually passing the headers in my app request because i didn't serialize to js. (i had switched from lambda island cljs fetch to vannilla js fetch) The browser responds back with a catch all security message that lead me to believe i was crazy.

p-himik 2021-06-29T13:34:57.245700Z

CORS is about your server, not your client.

p-himik 2021-06-29T13:35:45.245900Z

You ask a server at <|> to respond to a request from <|>. A server can reject such a request based on its CORS policy.


as far as I know, request should be sent with with-credentials mode, and server responds with “Access-Control-Allow-Credentials true”. I’ve set the server to accept requests from any source, together with all of HTTP methods.


In the case of sending cookies in cross-origin situation.

p-himik 2021-06-29T13:51:03.246500Z

Credentials are completely orthogonal to the CORS mechanism itself. But they can work together to allow you to get the resource you want. > request should be sent with with-credentials mode But only if the server requires credentials to access that resource. In case you know all that already - please ignore, I'm just nitpicking at the particular wording. Have you tried passing :http {:with-credentials? true ...} to ::re-graph/init?

p-himik 2021-06-29T13:51:33.246700Z

Or, perhaps, :http {:impl {:with-credentials? true} ...}.


Thanks for clarification. I’ve been trying what you’ve just suggested.

p-himik 2021-06-29T14:20:28.247200Z

Sorry, no clue then.


oh, the problem was not having added

:access-control-allow-credentials "true"
on the server side. FYI, I found and it seemed to work. thanks!