Option to set xhr.withCredentials

[aakoshh]

I'm facing a scenario where I have to talk to a gRPC server that sits behind a reverse proxy which redirects to ADFS for login and sets a http-only session cookie which it will pick up on subsequent requests and attaches an Authorization header. The problem is that the transports don't set the cookies with the gRPC invocation, so each POST results in a redirect.

What do you think about adding an option somewhere which could set the withCredentials property of the XMLHttpRequest before sending the request?

[fabxc]

Looks like the CORS headers set for OPTIONS requests specifically set Access-Control-Allow-Credentials: true but the JS/TS implementation hard-codes the opposite (e.g. here and not allowing to set withCredentials = true in the XMLHTTPRequest.

This seems like an unnecessary restriction that forces annoying constraints on the rest of the setup. Providing a fully custom transport for this seems like a lot of overhead.

[jonnyreeves]

So while we can solve this problem for fetch and xhr based transports, there is nothing that can be done for including cookies on cross-origin WebSocket connections as far as I know.

One workaround would be to make the WebSocketTransport throw an error if you try to construct it in such a way that you request credentials (cookies) be send cross origin (credentials: 'include').

[MOZGIII]

Why not let the browser deal with that?
I was looking for a way to pass credentials: 'include' to the fetch transport - and found this issue. Our usecase is actually sending the corss-origin request with cerdentials - it's allowd by fetch spec.

[MOZGIII]

We ended up copying fetch transport from tree to our source code and patching it so it passes include.
In general it would be great to have an ability to configure various transport-specific parameters if we opt out of transport autodetection by pass transport manually. Seems like a good idea to me - it doesn't require a generic interface deduction of any kind, and just provides a flexible way of using that's already in there.

I can compose a sample PR if you like this idea.

[johanbrandhorst]

Sounds good to me, let's get a PR up for discussion.

[MOZGIII]

@johanbrandhorst please take a look at #260

[MOZGIII]

And #261.

[jonny-improbable]

This has been resolved for some time now, you can now configure the CrossBrowserTransport.

[maxmcd]

Linking directly for others:

grpc-web/client/grpc-web/src/transports/http/http.ts

Lines 9 to 17 in d92a6da

	export function CrossBrowserHttpTransport(init: CrossBrowserHttpTransportInit): TransportFactory {
	if (detectFetchSupport()) {
	const fetchInit: FetchTransportInit = {
	credentials: init.withCredentials ? "include" : "same-origin"
	};
	return FetchReadableStreamTransport(fetchInit);
	}
	return XhrTransport({ withCredentials: init.withCredentials });
	}