2

I'm building an Backbone.js app to talk to an api that I've also built.

The api sits on api.foo.com website on web.foo.com

Im managed to get CORS working with the appropriate header fields in apache

Header set Access-Control-Allow-Origin "http://web.foo.com"
Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE,OPTIONS"
Header set Access-Control-Allow-Headers Content-Type
Header set Access-Control-Allow-Credentials "true"
Header append Access-Control-Allow-Headers Origin
Header append Access-Control-Allow-Headers Accept
Header append Access-Control-Allow-Headers X-Requested-With

and setting the xhrFields to

    f = { withCredentials: true}

    params.xhrFields = f;

    // Make the request, allowing the user to override any Ajax options.
    $.ajax(params);

this all works with chrome. Im about to do a post to api.foo.com/sessions login, get a cookie and then do another request to api.foo.com with that cookie.

Unfortunately when I switched to firefox 10.0.7, this didnt work. The withCredentials didnt seem to get jquery to pick up the cookie and use it.

Unlike most the questions relating to this on stackoverflow, this is not a one off, I need to get this to work consistently across browsers (I havent even got to IE yet).

Im using

Backbone.js 0.9.1 jquery 1.7.1 require 1.0.7 underscore 1.3.1

Works on

Chrome 17.0.963.65

doesnt work on firefox 10.0.2

Can anybody help me?

Mark Lakewood
  • 1,980
  • 4
  • 22
  • 44
  • 1
    It's really hard to say what's going on based on the above... Any chance of a link that shows the problem? – Boris Zbarsky Mar 10 '12 at 21:09
  • Unfortunatley all internal. I get the impression that cross browser CORS still isnt an easy thing to do. For now i've proxied my apache instance, so I dont have to worry about it. – Mark Lakewood Mar 12 '12 at 01:45
  • This _should_ be pretty easy to do... If it's not working the same way across browsers, then one or the other browser is broken. Would you maybe be willing to do an HTTP log following the instructions at https://developer.mozilla.org/en/HTTP_Logging and put it somewhere where I can read it? – Boris Zbarsky Mar 12 '12 at 04:31
  • I had a similar issue with CORS working in Chrome but not Firefox and documented it here http://stackoverflow.com/questions/15734031/why-does-the-preflight-options-request-of-an-authenticated-cors-request-work-in – maxbeatty Apr 01 '13 at 19:59

1 Answers1

3

Just thought i'd update this question with what I ended up doing. The feeling I get is that CORS is not an easy thing to do still (for good security reasons). Most answers on this subject come down to "Proxy or do CORS" without much explanation of how easy the proxy is. below is what I needed to put in my website apache file to get everything playing niceley

    ProxyPass /api http://api.foo.com/
    ProxyPassReverse /api http://api.foo.com/

<Location /api>
    Order allow,deny
    Allow from all
</Location>

What this does is any request going to web.foo.com/api, apache automatically proxy passes it to api.foo com. That means no need for any CORS headers, and all the cookies work fine.

It also means you still have api.foo.com running for other software that isn't javascript to query

This is a really easy way to resolve the need to CORS stuff while still separating an inhouse api from the front-ends.

jgauffin
  • 99,844
  • 45
  • 235
  • 372
Mark Lakewood
  • 1,980
  • 4
  • 22
  • 44