Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Two Origins not ideal for CORS header #255

Closed
NiklasMerz opened this issue Jan 7, 2019 · 12 comments
Closed

Two Origins not ideal for CORS header #255

NiklasMerz opened this issue Jan 7, 2019 · 12 comments

Comments

@NiklasMerz
Copy link
Contributor

NiklasMerz commented Jan 7, 2019
edited
Loading

Since version 3.0.0 this plugin now uses ionic://localhost for iOS and http://localhost for Android. The Access-Control-Allow-Origin header only allows one value? Using * is not possible for requests with credentials.

What can we do about that?
@AMerkuri
Copy link

AMerkuri commented Jan 8, 2019

I had same problem on dotnet https://stackoverflow.com/questions/54091699/aspnetcore-2-2-api-cors-policy/54092857#54092857

@NiklasMerz
Copy link
Contributor Author

@AMerkuri Thanks. I can set multiple origins but Android does not accept a header with with two origins.

@AMerkuri
Copy link

AMerkuri commented Jan 8, 2019

Do not use *. Read origin request header from the client and set Access-Control-Allow-Origin value to that.
https://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains

@NiklasMerz
Copy link
Contributor Author

NiklasMerz commented Jan 8, 2019 via email
edited
Loading

@jcesarmobile
Copy link
Member

Well, this depends entirely on your server as there are a lot of types of servers and each one is configured in a different way.
What you need to do is to check the origin and return it if valid.
If you can't use server code to do that, you can probably still do it using a regular expression in a .htaccess file

@NiklasMerz
Copy link
Contributor Author

Thanks. I cannot change the header programmtically in this case.

The solution I did for now is to disable the webserver on Android. Is this worth a PR or is it unlikely to be merged? I just need this plugin for WKWebView for now and I don't know why the http protocol is necessary on Android.

@jcesarmobile
Copy link
Member

I don't think it will be merged

@NiklasMerz
Copy link
Contributor Author

NiklasMerz commented Jan 8, 2019
edited
Loading

The http routing is for Ionic 4 with Angular routing correct? Serving from ionic://localhost on Android is not possible?

I would like to have the option for one origin for both platforms. It was possible with version 2.3.x. Two different origins cause extra headache for developers and may be impossible for certain servers.

@NiklasMerz NiklasMerz changed the title How to deal with two Origins and CORS? Two Origins not ideal for CORS header Jan 8, 2019
@jcesarmobile
Copy link
Member

Yeah, using ionic:// is technically possible, but have some problems like not being able to use getUsermedia, geolocation and some other features that require https or localhost.

We might consider making the scheme configurable so people can use what suits best for them.

@NiklasMerz
Copy link
Contributor Author

Yeah, using ionic:// is technically possible, but have some problems like not being able to use getUsermedia, geolocation and some other features that require https or localhost.

Thank you. I was not aware of these limitations.

We might consider making the scheme configurable so people can use what suits best for them.

Sounds perfect. I will try that out, too.

@agil-NUBBA
Copy link

Hi,

Still thinking how to manage this in a clean way:

if(isset($_SERVER['HTTP_ORIGIN']) && preg_match('/^(http|ionic):\/\/localhost(:)?(\d+)?$/', $_SERVER['HTTP_ORIGIN'], $matches)) {
    header("Access-Control-Allow-Origin: {$matches[0]}");
}

As far as I have tested origin seems to be:
Android: http://localhost:port
iOS: ionic://localhost

jcesarmobile added a commit to jcesarmobile/cordova-plugin-ionic-webview that referenced this issue Jan 16, 2019
@jcesarmobile
feat(Android): Make app Scheme configurable with a preference
d34795b 
Fix ionic-team#269, ionic-team#255
@jcesarmobile jcesarmobile mentioned this issue Jan 16, 2019
Merged
mlynch pushed a commit that referenced this issue Jan 16, 2019
@jcesarmobile @mlynch
feat(Android): Make app Scheme configurable with a preference (#274)
18d9f2c 
Fix #269, #255
Ionitron added a commit that referenced this issue Jan 17, 2019
@Ionitron
chore(release): 3.1.0 [skip ci]
3d36a3c 
# [3.1.0](v3.0.0...v3.1.0) (2019-01-17)

### Bug Fixes

* **ios:** Fix video playback of files with uppercase extension ([#264](#264)) ([2c4b225](2c4b225)), closes [#260](#260)
* Set engines to require Cordova CLI 7.1.0 or newer ([#276](#276)) ([40f42e1](40f42e1)), closes [#263](#263)
* Use a single scheme for all files ([#270](#270)) ([3d1bcdd](3d1bcdd)), closes [#258](#258)

### Features

* **Android:** Make app Scheme configurable with a preference ([#274](#274)) ([18d9f2c](18d9f2c)), closes [#269](#269) [#255](#255)
@jcesarmobile
Copy link
Member

Now on 3.1.0 you can configure the Scheme for Android using this preference <preference name="Scheme" value="ionic" />, so you can make it match the iOS one. But still, I would try to avoid it as some things won't work when using this scheme, use it only when there is no way of configuring the server to allow both origins.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@AMerkuri @jcesarmobile @NiklasMerz @agil-NUBBA