Preflight handshake broken for credentialed CORS #30
Comments
|
Sorry, attached the commit to a separate "issue" |
|
Thanks for the fix :-) |
|
Related issue: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Client handshakes under Cross-origin Request Sharing are not working properly if the following conditions are met
Only condition 1 is guaranteed to be met for the crosssite example.
When both of these conditions are present, a CORS-compliant browser will attempt to use the withCredentials property of the XMLHttpRequest object. However, this requires that the following response header are set.
where exactOrigin is self.request.headers['origin'].
Expected results:
Actual results:
Browsers are strictly enforcing a case-sensitive header value, making True invalid and true valid.
This results in a broken handshake process for any socket.io-client later than 0.8.6.
Related documentation:
http://www.w3.org/TR/cors/#access-control-allow-credentials-respons
https://developer.mozilla.org/En/HTTP_Access_Control#Requests_with_credentials
Related issue in socket.io-client:
socketio/socket.io-client#333
The text was updated successfully, but these errors were encountered: