Option to Disable CORS or Use withCredentials

AmericanData · ‎07-01-2013

Currently we cannot use the last 3 versions of ArcGIS for Javascript because authentication cookies are not sent with CORS requests.

I have a couple of ideas to request as a solution:

1) Give us a global configuration option to enable/disable CORS

esri.config.defaults.io.enableCors = true | false;

2) Allow us to include credentials in request via esri.setRequestPreCallback

esri.setRequestPreCallback(function (ioArgs) {
    ioArgs.withCredentials = (shouldUseCredentials(ioArgs.url) === true);
    return ioArgs;
});

If something like this already present and I missed it, my mistake. Please lead me in the right direction.

JeffJacobson · ‎07-01-2013

Have you tried what is suggested on the Working with Secure Resources page?

AmericanData · ‎07-01-2013

Authentication in general is not the problem though you are on the right track. We do use a proxy. But we use subdomaining to allow more requests to our proxy than the standard 2-request limit most browsers procure. (see Using multiple subdomains with a tiled service layer, an ArcGIS for Silverlight example).

Our proxy uses its own authentication. It's a custom proxy, not the simple one from ESRI.

If no ideas generate, that's fine. I'll manipulate the API in-house. Just making a request because it sure would be nice to have.

ChrisKeefer · ‎07-02-2013

Something like option 2 from american_data would be great. I have a need to consume services from a separate domain that requires a user PKI cert. I'd like to be able to specify 'withCredentials = true' so that the services could be used in a CORS fashion.

AmericanData · ‎07-02-2013

Solved my problem by delving into the API code. (Thank you so much for being transparent, ESRI!) Was actually quite simple once you read through it.

It would still be nice to have the option. But as long as I can override/wrap functions, I'm good.

I would reveal my solution. But I don't think it's a good idea to expose a hack to the mass. Would be better to let ESRI add the functionality, in my opinion.

ChrisKeefer · ‎07-02-2013

Solved my problem by delving into the API code. (Thank you so much for being transparent, ESRI!) Was actually quite simple once you read through it.

It would still be nice to have the option. But as long as I can override/wrap functions, I'm good.

I would reveal my solution. But I don't think it's a good idea to expose a hack to the mass. Would be better to let ESRI add the functionality, in my opinion.

I'd be very interested to see what you ended up doing. Would you mind PM-ing me if you don't want to expose the hack to the masses?

DerivenC · ‎07-03-2013

My solution was for a specific scenario. Decided to investigate into a more universal solution. Here's one to turn on withCredentials in general. This uses DOJO directly, thereby being useful beyond ArcGIS for JS.

Be sure to require "dojo/request/xhr" somewhere and put this in your addOnLoad function.

    if (!dojo._xhr) {
        dojo._xhr = dojo.xhr;
    }

    dojo.xhr = function() {
        try {
            var args = arguments[1];
            args["withCredentials"] = true;
            arguments[1] = args;
        } catch (e) {
            console.log(e);
        }

        return dojo._xhr(arguments[0], arguments[1]);
    };

This works for DOJO 1.8.

I would recommend checking the url before enabling withCredentials. The url is in arg.url.

See dojo/request/xhr for more details on the xhr.

btw deriven = american_data 🙂

ChrisKeefer · ‎07-09-2013

deriven,
Thanks for your reply! I will def make use of this!

I still hope ESRI includes something in a future release.

TerrySherman · ‎07-10-2013

We have been experiencing the same problems. CORS is only now becoming widely adopted and the ArcGIS JavaScript API is doing too much to automatically enable it or default to require a proxy page. This has made our initial understanding and troubleshooting of these HTTP Authentication issues confusing. We should be able to clearly and easily override these automatic behaviors in our API configurations.

I like the concept of Benjamin's solution #1 from post #1 if it can be implemented.

The dojo XHR "withCredentials" approach from post #7 seems to work and makes complete sense in the context of CORS, but we are a little concerned about security implications we may not have considered. I suppose since XHR "withCredentials" cannot be used in conjunction with 'Access-Control-Allow-Origin: "*"' it may be safe.

In addition to the implementation of solution #1 from post #1, I would like to see the behavior of post #7 added to the API via a boolean switch in esri.io.defaults.config (for example "esri.config.defaults.io.corsWithCredentials = true" or "esri.config.defaults.io.xhrWithCredentials = true") and documented in the SDK, including any potential security concerns.