Closed Bug 1074806 Opened 10 years ago Closed 10 years ago

Remove Access-Control-Allow-Credentials branch from CORS middleware

Categories

(Marketplace Graveyard :: Code Quality, defect, P4)

Product:
Marketplace Graveyard
Component:
Code Quality
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mat, Unassigned)

Details

(Whiteboard: [repoman])

In our CORS middleware, we check if an API is coming from fireplace origin and add Access-Control-Allow-Credentials to the response if that's the case. The check is done with: fireplace_url = settings.FIREPLACE_URL fireplacey = request.META.get('HTTP_ORIGIN') == fireplace_url But AFAIK settings.FIREPLACE_URL is always set to ''. Furthermore, we don't use cookies in fireplace for auth and our AuthenticationMiddleware even prevents cookie-based auth from working with the API as a security measure. I believe we should be able to remove those checks from CORSMiddleware and simplify it as a result.
Priority: -- → P4
Whiteboard: [repoman]
https://github.com/mozilla/zamboni/pull/2853
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.