restricted cookie access via cross origin xhr requests running through pub serve

[Jim Trainor]

As a result of a programming error in my own dart client code running in Dartium, I discovered that I could successfully access restricted cookie values both in the html.document.cookie property and the request response of a cross origin xhr request made through pub serve. When I turn pub serve off my code failed because I could not longer access the cookie values.  Failure is correct in this case because the cookies should not be accessible (is my understanding).

To be totally clear, what I believe to be incorrect access to the cookies occurs when:

1. I run my Dart code with "use pub server" ticked off in the project's Dart Editor launch config..

2. I launch Dartium with the option --disable-web-security so that cross origin xhr requests goes through.

3. My dart code is loaded in Dartium using http:://127.0.0.1:3030 (the Dart Editor server) (no pub serve)

4. My cross origin request goes to localhost port 8888 successully.

5. I attempt to read the cookie value in the reply and cannot - as expected.

6. Do the above but with pub serve enabled in the launch config (so app is now served from the pub server port not from 3030) and I succeed in reading the cookie value.

Is this a bug in pub serve?  Is this a bug at all?

[Günter Zöchbauer]

I would say this is expected behavior.

`pub serve` is not at all for production, but for development only and by no means a full featured web server.

A recent change makes `pub serve` send CORS headers by default, so you shouldn't need `--disable-web-security` anymore.

[Jim Trainor]

I test my dart code against an app engine dev server.  The Dart Editor server simply servers the dart files.  The unit tests all make cross-origin requests to the app engine server to access test data.  It seems to me the behaviour should be identical or else reliability of the unit tests is affected (as it was in my case - I had one test that passed and another that failed, both on the same code... the difference was only the pub serve setting in the launch config).  It's a minor difference, but a difference nonetheless.  I don't really understand what is happening that would cause the cookie header value to be available in one case but not the other. It seems it should never be available. In both cases a cross origin xhr request is made from the dart code.  The browser knows it is cross origin and therefore inhibits access to the cookie header property.  Somehow the dart code can expose the cookies if it is hosted by pub serve?  I'm must be failing to understand something about how pub server works because I don't see how the server choice should affect this but that's what I'm seeing.

--
For other discussions, see https://groups.google.com/a/dartlang.org/
 
For HOWTO questions, visit http://stackoverflow.com/tags/dart
 
To file a bug report or feature request, go to http://www.dartbug.com/new

To unsubscribe from this group and stop receiving emails from it, send an email to misc+uns...@dartlang.org.

[Günter Zöchbauer]

I understand that, but where to draw the line? 

I suggest you just create a bug report and see how the Dart team responds.