Event Source + CORS == NO Cookies???

[Phyo Arkar]

I am trying to get user-info with eventsource handler , but i can't try anyway to get_current_user work with eventsource urls.

Is that a limitation? How can i  include secure cookies in eventsource?

I am shocked to find that out :( .

Any work around ?or has to pass user data in urls? 

[aliane abdelouahab]

I saw this, and it might be helpful:

http://stackoverflow.com/questions/6623232/eventsource-and-basic-http-authentication

[Phyo Arkar]

Thanks @aliane

I just realized that for wildcard kind of CORS , there is no Cookies.

I've tried  {withCrendentials: true}

and at server side i did this :

        self.set_header('Access-Control-Allow-Origin', "*")

        self.set_header('Access-Control-Allow-Credentials', "true")

Then , Allow-Credentials dosen't work with Allow-Origin * , at all. I need it because i open multiple sub domains , randomly , and for mobile app. and wildcards do not support sub-domains in Cors. only * or full address or Null.

Seems we need to set Access-Control-Allow-Origin dynamically to allow wildcard sub domain origin ( i need that to bypass limit of long-opening connections at browser side).

--
You received this message because you are subscribed to the Google Groups "Tornado Web Server" group.
To unsubscribe from this group and stop receiving emails from it, send an email to python-tornad...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Phyo Arkar]

can @ben or @jesse enlighten us a bit? :D 

[Ben Darnell]

On Mon, Aug 31, 2015 at 7:44 AM, Phyo Arkar <phyo.ar...@gmail.com> wrote:

Thanks @aliane

I just realized that for wildcard kind of CORS , there is no Cookies.

I've tried  {withCrendentials: true}

and at server side i did this :

        self.set_header('Access-Control-Allow-Origin', "*")

        self.set_header('Access-Control-Allow-Credentials', "true")

Then , Allow-Credentials dosen't work with Allow-Origin * , at all. I need it because i open multiple sub domains , randomly , and for mobile app. and wildcards do not support sub-domains in Cors. only * or full address or Null.

The combination of "Allow-Origin: *" and "withCredentials: true" is disallowed for a reason: it allows *any* website to perform authenticated requests with a user's cookies, bypassing any XSRF or same-origin restrictions. You'll have to find another way to solve this, perhaps by designing your url space to avoid the need for cross-origin requests. 

-Ben

[Phyo Arkar]

Thanks a lot ben.
i understand that , i wanted to do like *.e.phwa.be but Allow-Orgin dosen't allow such syntax (Its ALL or Nothing) .

I will just avoid cookies and use urls instead , i think thats better way.

[Phyo Arkar]

I wanted to do something like this.

In django , we can do like this 

    CORS_ORIGIN_REGEX_WHITELIST = ('^(https?://)?(\w+\.)?google\.com$', )

[Phyo Arkar]

<IfModule mod_headers.c>
   SetEnvIfNoCase Origin "https?://(www\.)?(domain\.com|staging\.domain\.com)(:\d+)?$" ACAO=$0
   Header set Access-Control-Allow-Origin %{ACAO}e env=ACAO
</IfModule>

 something like above in tornado is possible ?. 

[Ben Darnell]

On Tue, Sep 1, 2015 at 9:49 AM, Phyo Arkar <phyo.ar...@gmail.com> wrote:

<IfModule mod_headers.c>
   SetEnvIfNoCase Origin "https?://(www\.)?(domain\.com|staging\.domain\.com)(:\d+)?$" ACAO=$0
   Header set Access-Control-Allow-Origin %{ACAO}e env=ACAO
</IfModule>

 something like above in tornado is possible ?. 

Is that just setting access-control-allow-origin to the request origin if it matches a regex? Then yes:

    if matches(self.request.headers['Origin']):

        self.set_header('Access-Control-Allow-Origin', self.request.headers['Origin'])