-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IE11 does not add CORS header when using the same domain #118
Comments
So far, the only working solution I've found is very dirty, it's changing the else in the
|
Can reproduce - here's IE11 on Windows 8, with the following YAML on a stock SS4:
That's a big assumption, and not specifically mentioned in the issue or comments there. |
This Stackoverflow post gives a bit of context on the origin behaviour. We've ruled out setting the I've confirmed that my Browserstack tests is putting the site in the "Internet Zone", rather than a "Trusted Zone" that might prevent the Origin header from being sent. Looking at the headers, this should be considered a simple request in CORS speak, not requiring a preflight |
It's not an assumption, it's an observation. I see it happen on my Windows 10 IE11 and Edge |
Apollo uses isomorphic-fetch as a polyfill for the WHATWG fetch API in IE11. Assuming that JS libraries can't really interfere with user agent stuff like setting One of the effects here is that removing
|
This script executed on the same domain (
I officially give up on this now :D At first I thought Simon's patch as a security hole (allowing elevated access simply by changing a user agent), but that's not the case - the server has already expressed that every origin can access the resource. The problem with Simon's patch is if you want to allow same domain and whitelist specific domains. It'll still deny the response, because
|
A flaw in my logic: I was assuming the I think we should alter Simon's patch to always send |
You've fairly conclusively written out my discoveries over the last couple of days. What I think, is we could add a |
Also, I can hardly believe we are dealing with exceptions for IE. I mean, it's 2017! |
Here's an updated version with referral checking in IE11
|
I'm investigating |
You know where to find me if you have any questions :) |
@Firesphere I found another example of this solution being applied to another project. With that in mind, it's probably safe enough? |
OWASP seems to think so https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Checking_the_Origin_Header
|
That seems to be the same form of implementation as my second bit of code on how it could be done. So I'd say, possibly with some added configuration, it's not a too big a security issue |
BUG Prevent un-extendable config by shifting defaults into PHP BUG Remove dependency on Doctrine module breaking with --prefer-dist BUG Fix tests not checking cors port ENHANCEMENT Clean up Controller::index() method and make lovely ENHANCEMENT Optimise all imports Fixes silverstripe#118
Fix at #132 Also fixed all the terrible coding style in this module and various other bugs. |
BUG Prevent un-extendable config by shifting defaults into PHP BUG Fix tests not checking cors port ENHANCEMENT Clean up Controller::index() method and make lovely Fixes silverstripe#118
IE11 and Edge do not add the CORS Origin header, even when explicitly set, when the domain is the same as the domain graphql (asset admin) tries to talk to.
This breaks the CMS when CORS is enabled. Which means the GraphQL API becomes a lot less useful to anyone who wants to serve it to other domains or standalone apps, and still support IE for it's content authors.
Explicitly setting the Origin header in the asset admin, does not resolve the problem, as IE still does not actually add it.
Background is here:
https://connect.microsoft.com/IE/feedback/details/781303/origin-header-is-not-added-to-cors-requests-to-same-domain-but-different-port
Although the issue applies to the same port as well as a different port
PRs:
The text was updated successfully, but these errors were encountered: