#amber on 2020-08-01 — irc logs at freenode.irclog.whitequark.org

2018-06-22 23:33 faustinoaq changed the topic of #amber to: Welcome to Amber Framework community! | https://amberframework.org | Developer happiness, productivity and bare metal performance | GH: https://github.com/amberframework | Docs: https://docs.amberframework.org | Gitter: https://gitter.im/amberframework/amber | IRC Logger: https://irclog.whitequark.org/amber | Amber::Server.start

00:43 <FromGitter> <samholst> Thank you Dru! WIth `axios` I ended up using the `X-Origin`, works now.

00:46 <FromGitter> <drujensen> Np. Glad it’s working. Seems like a common problem people run into. We might want to look at that spec closer.

06:24 alexherbo2 has joined #amber

06:25 alexherbo2_ has joined #amber

07:12 alexherbo2_ has quit [Ping timeout: 256 seconds]

07:12 alexherbo2 has quit [Ping timeout: 256 seconds]

07:32 _whitelogger has joined #amber

13:11 <FromGitter> <Blacksmoke16> a request that doesnt have an `Origin` header is not a CORS request

13:11 <FromGitter> <Blacksmoke16> and does not need to be validated

15:15 <FromGitter> <drujensen> Is it automatically set by the browser?

15:15 <FromGitter> <drujensen> for Post requests?

15:15 <FromGitter> <drujensen> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin

15:25 <FromGitter> <Blacksmoke16> it should be yes

15:26 <FromGitter> <Blacksmoke16> https://fetch.spec.whatwg.org/#http-requests

15:27 <FromGitter> <drujensen> @samholst do you mind opening a ticket about this issue? If the origin header doesn’t exist, the CORS pipe should ignore it and not validate against the allowed list.

15:27 <FromGitter> <drujensen> This would explain why other frameworks do not require it. ;-)

15:30 <FromGitter> <Blacksmoke16> https://github.com/nelmio/NelmioCorsBundle/blob/master/EventListener/CorsListener.php#L66 is what i based my listener on

16:21 <FromGitter> <eliasjpr> The browser should be setting the origin header it looks like is not doing that for case above which is why is requiring manually setting it up.

16:22 <FromGitter> <eliasjpr> As per the 403 forbidden it is true that is should not be validated when the origin header is not present.

16:22 <FromGitter> <eliasjpr> I recommend to having a separate pipeline when possible for CORS requests

16:24 <FromGitter> <eliasjpr> For Firefox note: The Origin header is not set on Fetch requests with a method of HEAD or GET (this behavior was corrected in Firefox 65 — see bug 1508661).

16:26 <FromGitter> <eliasjpr> The issue could be fix by simply changing this line to a call next handler https://github.com/amberframework/amber/blob/7dab4b531af5e9b58fe192dcddecaa4459f9403d/src/amber/pipes/cors.cr#L48