Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

noCredentials is not propagating through to AbstractXHRObject #356

Closed
mnpenner opened this issue Dec 22, 2015 · 7 comments
Closed

noCredentials is not propagating through to AbstractXHRObject #356

mnpenner opened this issue Dec 22, 2015 · 7 comments
Labels
priority: 4 (nice to have) status: approved type: bug

Comments

@mnpenner
Copy link

I've got this in my webpack.config.js:

devServer: {
    port: 5584,
    headers: {
        "Access-Control-Allow-Origin": "*",
    },
    hot: true,
    inline: true,
    historyApiFallback: false,
    host: '0.0.0.0',
    noCredentials: true,  // <-------------- 
    lazy: false,
    quiet: false,
    noInfo: true,
},

But I keep getting this error (in Chrome dev tools):

XMLHttpRequest cannot load http://localhost:5584/assets/info?t=1450813117876. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://narsf.dev3' is therefore not allowed access.

I traced this problem back to node_modules/webpack-dev-server/node_modules/sockjs-client/lib/transport/browser/abstract-xhr.js. This block here is setting withCredentials anyway:

  if ((!opts || !opts.noCredentials) && AbstractXHRObject.supportsCORS) {
    debug('withCredentials');
    // Mozilla docs says https://developer.mozilla.org/en/XMLHttpRequest :
    // "This never affects same-site requests."

    this.xhr.withCredentials = 'true';
  }

Because opts isn't coming through at all (it's undefined).

Can you make the noCredentials option flow through, so that we can disable credentials? It's preventing me from using the webpack-dev-server because my app lives at a different domain + port than where dev-server is serving the assets from.
@py-in-the-sky
Copy link

👍

For the time being, I have resolved this locally by fixing the version number of two npm packages:

  • npm install --save-dev socket.io-client@1.3.7
  • npm install --save-dev webpack-dev-server@1.12.1

py-in-the-sky added a commit to py-in-the-sky/gae-flask-redux-react-starter-kit that referenced this issue Jan 11, 2016
@py-in-the-sky
fix version numbers for webpack-dev-server and socket.io-client
7cb3a7f 
until these problems are resolved:
* webpack/webpack-dev-server#356 (comment)
* socketio/socket.io-client#933 (comment)
@mnpenner
Copy link
Author

@py-in-the-sky I tried your fix, I'm still seeing:

XMLHttpRequest cannot load http://myproject.dev3:5584/assets/?EIO=3&transport=polling&t=1453247154614-3. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://myproject.dev3' is therefore not allowed access.

@mnpenner
Copy link
Author

I think I just solved it!

It works with inline: false + you have to omit the omit the path in the entry bundle: it should be something like webpack-dev-server/client?http://0.0.0.0:5584 not ``webpack-dev-server/client?http://0.0.0.0:5584/assets/`.

So my webpack-dev-server config is:

var devServerPort = 5584;
var publicPath = webpackConfig.output.publicPath;

webpackMerge(webpackConfig, {
    devtool:  debug ? 'source-map' : 'eval',
    entry: {
        main: [
            'webpack-dev-server/client?http://0.0.0.0:' + devServerPort,
            'webpack/hot/only-dev-server',
        ],
    },
    plugins: [
        new webpack.HotModuleReplacementPlugin(),
    ],
    devServer: {
        port: devServerPort,
        headers: {
            "Access-Control-Allow-Origin": "*",
        },
        hot: true,
        inline: false,
        historyApiFallback: false,
        stats: {
            colors: true,
        },
        watchOptions: {
            aggregateTimeout: 250,
            poll: 50
        },
        watch: true,
        host: '0.0.0.0',
        noCredentials: true,
        lazy: false, // No watching, compiles on request (cannot be combined with --hot).
        quiet: false, // Display nothing to the console
        noInfo: true, // Display no info to console (only warnings and errors)
    },
    output: {
        publicPath: 'http://' + wxConfig.server + ':' + devServerPort + publicPath
    }
});

By digging through the source I discovered that inline: true adds two entry bundles:

  • webpack-dev-server/client?http://0.0.0.0:5584
  • webpack/hot/dev-server

I wanted webpack/hot/only-dev-server instead so I can't use inline: true.

noCredentials is not a valid option for devServer. One of the nested dependencies (sockjs) uses it somewhere, but it turns out it's not actually needed (anymore?). "Access-Control-Allow-Origin": "*" alone will fix it. [No headers are needed]

Testing with webpack 1.12.11 and webpack-dev-server 1.14.1.

@garrettmaring
Copy link

Any update on this?

@garrettmaring
Copy link

I really terrible hack to this is to go to the node_modules http-browserify and look for the lines that set the params.withCredentials to true. Comment this out and set it to false. Never a good idea to edit node_modules like that but I couldn't find a way of doing it through the webpack config!

@SpaceK33z
Copy link
Member

A PR is welcome.

@SpaceK33z
Copy link
Member

I'm closing this issue since nobody seems to have this problem anymore. If you still have, feel free to do a PR or comment here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority: 4 (nice to have) status: approved type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@SpaceK33z @mnpenner @py-in-the-sky @garrettmaring