cors-anywhere
cors-anywhere copied to clipboard
Rob--W
problem after deploy to Heroku (Cookie is missing in the request header)
Hi, thanks for this great tool.
I used PR #52 code and also add headers['Access-Control-Allow-Credentials'] = true; into withCORS method for including cookies in the CORS request
everything works properly in dev mode (hosted CORS Anywhere on 0.0.0.0:8080)
but not working anymore when hosted on Heroku
problem is cookie missing in the request header
in dev mode, req header contains Cookie: GAMEC=Wed Aug 09 2017 15:30:18 GMT+0800 (CST)
but on Heroku, there is no 'Cookie' in the req header
the site is setting cookie like below
try {
document.cookie = "GAMEC=" + new Date() + ";path=/";
} catch (e) {
document.cookie = "GAMEC=" + Date().valueOf() + ";path=/";
}
Im using fetch to make a CORS request
fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded;',
},
credentials: 'include',
body: formData,
})
is it Heroku's problem ? or did I do anything wrong ?
please, help me solving the problem, thanks
Your described scenario will only cause cookies to appear if all of the following three are at the same origin:
- The code where
document.cookieis set. -
urlin yourfetchsnippet. - The page from where
fetchis called.
If the first and second origin differ, then obviously the browser is not going to send cookies of 1 to the API endpoint at 2. There is no way to get around this.
If the second and third origin differ, then the fetch will not perform a request because the "mode" parameter is not explicitly set. To request a cross-origin request, setmode: 'cors'. Search for "mode" in the documentation if you need to learn more: https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/fetch
Do note that if you allow cookies, that the cookies are sent to every site that can be proxied through your fork of CORS Anywhere. If the cookies don't contain private information, that can be acceptable, but if they do contain sensitive information, then you have a privacy and/or security problem.
My issue might be releated, thats why I don't open another one.
I got kind of the same problem, but my cookies are not in the document.cookies varibable, they should be only http cookies set by set-cookie response headers. So the custom REST API I'm currently working on sets a session token with the set-cookie header and uses it in further requests... for any reason this works without problems in postman, even without cors-anywhere, but there are cors errors when I use fetch.
Is there any option to enable setting cookies or something? @Rob--W
@DevCubeHD Your comment does not contain enough details to give a proper answer, as it is not clear whether you use the default CORS Anywhere (e.g. the public demo), a fork or custom config.
Is there any option to enable setting cookies or something? @Rob--W
No there is not. There is no safe or reliable way to offer cookie support; see my most recent comment at https://github.com/Rob--W/cors-anywhere/pull/154#issuecomment-468649353
My issue might be releated, thats why I don't open another one.
I got kind of the same problem, but my cookies are not in the document.cookies varibable, they should be only http cookies set by set-cookie response headers. So the custom REST API I'm currently working on sets a session token with the set-cookie header and uses it in further requests... for any reason this works without problems in postman, even without cors-anywhere, but there are cors errors when I use fetch.
Is there any option to enable setting cookies or something? @Rob--W
How to solve this problem ?
