-
Notifications
You must be signed in to change notification settings - Fork 10.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make requests not send credentials #14293
Comments
This is weird case - reason for using this in first place is that |
I'm not sure if anyone actually is using credentials, so if we can replicate behaviour of not duplicated requests I not use this, I would be in favour of it. It was some time ago since I tested it, and might be it was fixed - if it was chrome bug then (it might be just security reasons, didn't find much information on this topic). In general I would very much love to avoid adding options like that and adjust what currently is there if possible |
So is it setting
I'm not sure either, but a valid use-case for this would be a static site sitting behind an authentication proxy. But I'm not sure if anyone is doing this, or whether this actually works (since every request would have to be done with credentials enabled for this to work).
Yeah it does seem silly to add such a specific option - I probably should have opened this as a bug report instead. |
over 1 year ago I used https://github.com/pieh/link-preload-fetch as barebone example of issue - I don't remember specifics but I think that not using |
I just ran that demo and:
Possibly we could use |
The [tests that I ran](#14293 (comment)) suggest that this is no longer needed, and it fixes the [issues I was experiencing](#14293 (comment)). Fixes #14293.
Hiya! This issue has gone quiet. Spooky quiet. 👻 We get a lot of issues, so we currently close issues after 30 days of inactivity. It’s been at least 20 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open! As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. Check out gatsby.dev/contribute for more information about opening PRs, triaging issues, and contributing! Thanks for being a part of the Gatsby community! 💪💜 |
Not stale |
We're also facing this problem: multiple hosts (xxxxxx.com, xxxxxx.fr, xxxxx.ie,...) need to access same CDN where assets live. |
I'm facing this issue when trying to host the site on google-cloud-storage. |
I'd love to help to fix this issue, if there's interest... |
* fix(gatsby): Make requests not send credentials. The [tests that I ran](#14293 (comment)) suggest that this is no longer needed, and it fixes the [issues I was experiencing](#14293 (comment)). Fixes #14293. * Updated docs * Removed withCredentials that was previously missed. * Updated snapshots. * adjust test for asset-prefix * Ensure manifest is always loaded from content server * Fix test
Summary
Make gatsby not send credentials when making requests - currently in the following 2 places:
gatsby/packages/gatsby/cache-dir/loader.js
Line 87 in eaa08cf
gatsby/packages/gatsby/cache-dir/static-entry.js
Line 300 in eaa08cf
Motivation
We have a slightly weird setup where our assets are on a CDN (enabled by the new
assetPrefix
option), which is a different domain from where the pages are served. This means we have to serve the assets with CORS headers. Moreover, we need them accessible from multiple origins and the headers must be static so we have to setAccess-Control-Allow-Origin
to*
. Having this header set this way means that browsers error when doing XHRs with credentials.My initial thought was that credentials can be removed for everyone without causing issues, but some people may have their static sites behind an authentication proxy which means credentials will need to be sent in some cases.
The text was updated successfully, but these errors were encountered: