Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CORS does not allow * wildcard with current apollo graphiql implementation #514

Closed
diit opened this issue Aug 24, 2017 · 8 comments
Closed

Comments

@diit
Copy link
Contributor

diit commented Aug 24, 2017

Expected:

  • Setup GraphQL endpoint with cors (default express setup)
  • Setup GraphiQL (default setup)
  • Allows querying

Actual:

  • Throws Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin '<location>' is therefore not allowed access.

Cause: https://github.com/apollographql/apollo-server/blob/master/packages/apollo-server-module-graphiql/src/renderGraphiQL.ts#L147

@stubailo
Copy link
Contributor

Ooh, hmm.

Should we switch the default credentials to same-origin?

@diit
Copy link
Contributor Author

diit commented Aug 24, 2017

https://developer.mozilla.org/en-US/docs/Web/API/Request/credentials

CORS is not my strong suit but that appears to be the correct option. Unless this should be a config thing, as it appears that some people are using cookies while others need an API to be publicly accessible from arbitrary users.

@stubailo
Copy link
Contributor

Oh I mean on the GraphiQL side - we can change the way it sends the cookies to avoid the error. We can replace include with same-origin

@diit
Copy link
Contributor Author

diit commented Aug 24, 2017

Yes I agree, sorry if I wasn't clear.

@stubailo
Copy link
Contributor

Awesome - mind sending a PR for that?

diit added a commit to diit/apollo-server that referenced this issue Aug 24, 2017
stubailo pushed a commit that referenced this issue Aug 25, 2017
* Move from credentials: 'include' to 'same-origin'

See Discussion: #514

* Update CHANGELOG.md

* Update CHANGELOG.md
@diit
Copy link
Contributor Author

diit commented Aug 31, 2017

Can we get a feature bump on this so it can be used?
Not included in v1.1.2

@evenfrost
Copy link

Seems to be solved in v.1.1.6.

@stubailo
Copy link
Contributor

Thanks!

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants