Closed Bug 1074806 Opened 10 years ago Closed 9 years ago

Remove Access-Control-Allow-Credentials branch from CORS middleware

Categories

(Marketplace Graveyard :: Code Quality, defect, P4)

Product:
Marketplace Graveyard
Component:
Code Quality
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mat, Unassigned)

Details

(Whiteboard: [repoman]) 

In our CORS middleware, we check if an API is coming from fireplace origin and add Access-Control-Allow-Credentials to the response if that's the case. The check is done with:

    fireplace_url = settings.FIREPLACE_URL
    fireplacey = request.META.get('HTTP_ORIGIN') == fireplace_url

But AFAIK settings.FIREPLACE_URL is always set to ''. Furthermore, we don't use cookies in fireplace for auth and our AuthenticationMiddleware even prevents cookie-based auth from working with the API as a security measure.

I believe we should be able to remove those checks from CORSMiddleware and simplify it as a result.
Priority: -- → P4
Whiteboard: [repoman]
https://github.com/mozilla/zamboni/pull/2853
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.