Browser does not send Origin for GET requests from fetch and XHR
gsahbi opened this issue · 1 comments
This assumption that all modern browsers send Origin by default is not true.
And so getClaims and getUserInfo fail.
As per MDN documentation of fetch API https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin
Quote:
Broadly speaking, user agents add the Origin request header to:
- cross origin requests.
- same-origin requests except for GET or HEAD requests (i.e. they are added to same-origin POST, OPTIONS, PUT, PATCH, and DELETE requests).
End Quote
In same site setups you can set an environment variable of CORS_ENABLED='false'
to fix this. This turns off any cross origin behavior or setting of CORS headers. You should also set the equivalent setting in the oauth proxy nginx module.
Our default deployment uses sibling domains for web static content and token handler components. If you want to avoid this, eg to reduce the overhead of CORS pre-flight requests, you would overwrite our example SPA deployment like this, and the above environment variable is then set:
export BASE_DOMAIN='example.com'
export WEB_SUBDOMAIN='www'
export API_SUBDOMAIN='www'
export IDSVR_SUBDOMAIN='login'