Login/Register
Dart BrowserClient POST not including my cookies
Asked Answered
Solved cookiesdartcorsdartium
M

1

4

I'm doing a BrowserClient POST across domains and don't see my cookies being included.

This the response I'm getting:

enter image description here

When I send another POST request, I don't see the cookies being included:

enter image description here

Going straight to the test page, I can see the cookies being included:

enter image description here enter image description here

The Dart code I use to make a POST:

var client = new BrowserClient();

client.post(url, body: request, headers:{"Content-Type" : "application/json", "Access-Control-Allow-Credentials":"true"}).then((res) {
      if (res.statusCode == 200) {
        var response = JSON.decode(res.body);

        callback(response);
      } else {
        print(res.body);
        print(res.reasonPhrase);
      }
    }).whenComplete(() {
      client.close();
    });

Not sure about the Access-Control-Allow-Credentials header I'm including, with or without it, nothing changes.

Am I missing headers on the server side that needs to be set on the response or is Dartium blocking cross-domain cookies?

More details on Information Security and the reasoning behind setting cookies via the server.

Update: Enhancement request logged: https://code.google.com/p/dart/issues/detail?id=23088

Update: Enhancement implemented, one should now be able to do var client = new BrowserClient()..withCredentials=true; based on https://github.com/dart-lang/http/commit/9d76e5e3c08e526b12d545517860c092e089a313

Maidservant answered 3/4, 2015 at 6:21 Comment(7)
I guess you need to set withCredentials=true on your post request, but I haven't found yet how to do this with the request from the http package (like in stackoverflow.com/questions/21770445 or stackoverflow.com/questions/16939328).Unrig
I can see special provision being made for that in angular.dart, but not in BrowserClient github.com/dsalsbury/angular.dart/commit/…Maidservant
If angular.dart is doing it, surely it must be calling standard dart libraries under the hood or does angular.dart have its own BrowserClient-like library?Maidservant
No, in browser you can't do HTTP requests other than using the HttpRequest API from dart:html. Angular and browserClient just forward to it. The http package was created to have an unified API between client and server. On the server it forwards to dart:io and on the browser on dart:html.Unrig
Is it possible to do HTTP requests directly to the HttpRequest API in dart:html thereby doing my own BrowserClient implementation? Otherwise, should I log a feature request for withCredentials on the BrowserClient package?Maidservant
Sure, no need to use the http package. This is mostly for convenience for code which targets client and server. Yes, please create a bug report/feature request at dartbug.com.Unrig
I've logged an enhancement request: code.google.com/p/dart/issues/detail?id=23088 In the meantime I'll go a bit lower level and just use HttpRequest directly.Maidservant
G
3

For cookies being sent to CORS requests, you need to set withCredentials = true. The browser client in the http package doesn't support this argument. You can use the HttpRequest from dart:html instead. See How to use dart-protobuf for an example.

Glace answered 3/4, 2015 at 8:16 Comment(4)
A pull-request with a fix for the http package was already made. Hopefully published soon.Unrig
I can see the fix on Github, what is the usual timespan for fixes to be published? If it's around a week, I'll wait a bit, otherwise I'll follow the dart-protobuf example so that I can at least finish my authentication layer.Maidservant
According to the changelog on pub.dartlang.org a release containing this change was released two days ago.Unrig
You can just update the package not the entire Dart installation. Just run pub upgrade on command line from within your package directory or from the context menu of the pubspec.yaml file in DartEditor.Unrig

© 2022 - 2024 — McMap. All rights reserved.