4

I'm doing a BrowserClient POST across domains and don't see my cookies being included.

This the response I'm getting:

enter image description here

When I send another POST request, I don't see the cookies being included:

enter image description here

Going straight to the test page, I can see the cookies being included:

enter image description here enter image description here

The Dart code I use to make a POST:

var client = new BrowserClient();

client.post(url, body: request, headers:{"Content-Type" : "application/json", "Access-Control-Allow-Credentials":"true"}).then((res) {
      if (res.statusCode == 200) {
        var response = JSON.decode(res.body);

        callback(response);
      } else {
        print(res.body);
        print(res.reasonPhrase);
      }
    }).whenComplete(() {
      client.close();
    });

Not sure about the Access-Control-Allow-Credentials header I'm including, with or without it, nothing changes.

Am I missing headers on the server side that needs to be set on the response or is Dartium blocking cross-domain cookies?

More details on Information Security and the reasoning behind setting cookies via the server.

Update: Enhancement request logged: https://code.google.com/p/dart/issues/detail?id=23088

Update: Enhancement implemented, one should now be able to do var client = new BrowserClient()..withCredentials=true; based on https://github.com/dart-lang/http/commit/9d76e5e3c08e526b12d545517860c092e089a313

Community
  • 1
  • 1
Jan Vladimir Mostert
  • 12,380
  • 15
  • 80
  • 137
  • 1
    I guess you need to set `withCredentials=true` on your post request, but I haven't found yet how to do this with the request from the http package (like in http://stackoverflow.com/questions/21770445 or http://stackoverflow.com/questions/16939328). – Günter Zöchbauer Apr 03 '15 at 06:51
  • 1
    I can see special provision being made for that in angular.dart, but not in BrowserClient https://github.com/dsalsbury/angular.dart/commit/9ff1bc321cd201bee09f8420c42e61632481ffb7 – Jan Vladimir Mostert Apr 03 '15 at 07:01
  • If angular.dart is doing it, surely it must be calling standard dart libraries under the hood or does angular.dart have its own BrowserClient-like library? – Jan Vladimir Mostert Apr 03 '15 at 07:29
  • No, in browser you can't do HTTP requests other than using the HttpRequest API from dart:html. Angular and browserClient just forward to it. The http package was created to have an unified API between client and server. On the server it forwards to dart:io and on the browser on dart:html. – Günter Zöchbauer Apr 03 '15 at 07:32
  • Is it possible to do HTTP requests directly to the HttpRequest API in dart:html thereby doing my own BrowserClient implementation? Otherwise, should I log a feature request for withCredentials on the BrowserClient package? – Jan Vladimir Mostert Apr 03 '15 at 08:12
  • Sure, no need to use the http package. This is mostly for convenience for code which targets client and server. Yes, please create a bug report/feature request at http://dartbug.com. – Günter Zöchbauer Apr 03 '15 at 08:14
  • 1
    I've logged an enhancement request: https://code.google.com/p/dart/issues/detail?id=23088 In the meantime I'll go a bit lower level and just use HttpRequest directly. – Jan Vladimir Mostert Apr 03 '15 at 08:46

1 Answers1

3

For cookies being sent to CORS requests, you need to set withCredentials = true. The browser client in the http package doesn't support this argument. You can use the HttpRequest from dart:html instead. See How to use dart-protobuf for an example.

Community
  • 1
  • 1
Günter Zöchbauer
  • 623,577
  • 216
  • 2,003
  • 1,567
  • 2
    A pull-request with a fix for the http package was already made. Hopefully published soon. – Günter Zöchbauer Apr 03 '15 at 17:17
  • I can see the fix on Github, what is the usual timespan for fixes to be published? If it's around a week, I'll wait a bit, otherwise I'll follow the dart-protobuf example so that I can at least finish my authentication layer. – Jan Vladimir Mostert Apr 08 '15 at 05:42
  • According to the changelog on pub.dartlang.org a release containing this change was released two days ago. – Günter Zöchbauer Apr 08 '15 at 05:44
  • 1
    You can just update the package not the entire Dart installation. Just run `pub upgrade` on command line from within your package directory or from the context menu of the `pubspec.yaml` file in DartEditor. – Günter Zöchbauer Apr 08 '15 at 06:01