Page MenuHomePhabricator

[lib] Remove withCredentials on upload blob call
ClosedPublic

Authored by michal on Nov 6 2023, 1:24 AM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Dec 17, 7:00 AM
Unknown Object (File)
Wed, Dec 4, 10:11 PM
Unknown Object (File)
Nov 22 2024, 7:03 AM
Unknown Object (File)
Nov 8 2024, 12:28 AM
Unknown Object (File)
Nov 8 2024, 12:28 AM
Unknown Object (File)
Nov 8 2024, 12:08 AM
Unknown Object (File)
Nov 7 2024, 8:05 PM
Unknown Object (File)
Oct 9 2024, 11:51 AM
Subscribers

Details

Summary

Fix for ENG-5669

During request for blob upload we set withCredentials to true. This tells browser that it should include credentials (cookies, HTTP authentication headers) when making requests for both same-origin and cross-origin requests. But for cross-origin requests, the server also needs to respond with a correct CORS header. We have two options for fixing this:

  1. Add the required CORS header. This is basically adding credentials: true to the cors config in keyserver/keyserver.js
  2. Remove the withCredentials line. After my recent cookie changes, we stopped using browser cookies on web, and instead pass them inside the formdata like on native. This means that we don't need to include credentials (in this case meaning browser cookies) with this request.

Both of these changes worked, this diff implements the (2) option as it simplifies the code.

Test Plan

Follow instructions in D9396 so the web app is hosted on different origin then the keyserver (so we can test CORS issues).
Check that without this diff the request fails with the same error as in ENG-5669
Check that with this diff the request succeeds.

Also checked that native (checked on iOS emulator) can still send images.

Diff Detail

Repository
rCOMM Comm
Branch
michal/eng-5669
Lint
No Lint Coverage
Unit
No Test Coverage