Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure that CORS is configured properly #4943

Closed
masaball opened this issue Nov 3, 2022 · 5 comments
Closed

Ensure that CORS is configured properly #4943

masaball opened this issue Nov 3, 2022 · 5 comments
Assignees
@masaball
Labels
investigation 💡

Comments

@masaball
Copy link
Contributor

masaball commented Nov 3, 2022
edited
Loading

After pushing the CORS changes to the demo site we are still encountering problems when attempting to use IIIF manifests in external services. Checking the network tab and the console, the access-control-allow-origin header is being set properly. It is reflecting the external service that the IIIF manifest is being loaded into. However, we are missing another header that is apparently necessary: access-control-allow-credentials.

The error seen is "Access to XMLHttpRequest from origin has been blocked by CORS policy: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute."

We may need to enable the Access-Control-Allow-Credentials header in Rack::CORS. This would be an unsafe configuration though. I am unsure of the XMLHttpRequest, but if that's from our application we can set the withCredentials attribute to false. I think that would break authentication and possibly other behavior though.

Need to investigate the best approach for this and determine the actual level of risk involved in the solutions.
@joncameron
Copy link
Contributor

UV requires this, but there are potential security risks. It would be ideal to have documentation on these risks.

Should we also check in with UV about this configuration? UV devs had originally pointed this out to us. We could reach out and get clarity.

@masaball masaball self-assigned this Nov 7, 2022
@masaball
Copy link
Contributor Author

masaball commented Nov 8, 2022

Notes: https://docs.google.com/document/d/1o_qdCvz8NpdlEv_5CyaPffUGJvVQDYAn4XG5reyhS8Q/edit?usp=sharing

@elynema
Copy link
Contributor

elynema commented Dec 2, 2022

Tested with this manifest in UV. Manifest content loading, but not video content. Manifest itself is indicating some auth issues. @joncameron Can you test also?

@joncameron
Copy link
Contributor

joncameron commented Dec 6, 2022
edited
Loading

I found the same as Emily with this manifest in UV. I'm getting this error in the console:
Uncaught SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data

@joncameron
Copy link
Contributor

This was probably due to a bad record (^) and other testing looks good so I'm going to close this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@masaball masaball

Labels
investigation 💡
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joncameron @masaball @elynema