Remove Access-Control-Allow-Credentials branch from CORS middleware

RESOLVED FIXED

Status

P4
normal
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: mat, Unassigned)

Tracking

Points:
---

Details

(Whiteboard: [repoman])

(Reporter)

Description

4 years ago
In our CORS middleware, we check if an API is coming from fireplace origin and add Access-Control-Allow-Credentials to the response if that's the case. The check is done with:

    fireplace_url = settings.FIREPLACE_URL
    fireplacey = request.META.get('HTTP_ORIGIN') == fireplace_url

But AFAIK settings.FIREPLACE_URL is always set to ''. Furthermore, we don't use cookies in fireplace for auth and our AuthenticationMiddleware even prevents cookie-based auth from working with the API as a security measure.

I believe we should be able to remove those checks from CORSMiddleware and simplify it as a result.

Updated

4 years ago
Priority: -- → P4
Whiteboard: [repoman]

Comment 1

4 years ago
https://github.com/mozilla/zamboni/pull/2853
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.