Allow cookies from all subdomains #834
Conversation
lib/models/solid-host.js
Outdated
| } | ||
| } | ||
|
|
||
| function getHostName (origin) { |
There was a problem hiding this comment.
Doesn't using origin confuse that there may be other URIs that the hostname is extracted from than the Origin? Or am I confused for other reasons?
There was a problem hiding this comment.
You are right, I will change the parameter name.
kjetilk
left a comment
kjetilk
left a comment
There was a problem hiding this comment.
OK, I think I understand what it does, and it appears sensible, but I don't understand why it does it, so I think I'll leave the approval to others.
RubenVerborgh
force-pushed
the
fix/allow-subdomain-cookies
branch
from
51e43c8 to
0170a22
Compare
kidehen
left a comment
kidehen
left a comment
There was a problem hiding this comment.
Authorization now works, as per "it just works!" interop page.
I was able to add data to @RubenVerborgh's pod in line with RWWCrew ACLs.
See confirmation tweet .
|
I works, but I found some corner cases we are going to hit. Explanation tomorrow, I will now PR @kidehen's workaround to it (which doesn't have the corner cases). |
A side-effect of #793 is that the security mechanism of #526 is not just applied to the cookie-based login method, but to all login methods (WebID-TLS, WebID-OIDC). #526 rejected cookies as authentication mechanism from third-party hosts, requiring other hosts to always send a Bearer header.
However, its definition of "other hosts" did not include subdomains. For example:
This pull request changes things such that
This addresses breakage in 4.1.4 and 4.1.5 caused by #793 as noted by @kidehen in #793 (comment)