- Issue created by @kriboogh
- Merge request !3369Let ajax calls include credentials if needed by cors. → (Closed) created by kriboogh
- Status changed to Needs review
almost 2 years ago 10:47am 2 February 2023 - Status changed to Needs work
almost 2 years ago 11:37am 2 February 2023 - Status changed to Needs review
almost 2 years ago 11:50am 2 February 2023 - 🇦🇺Australia larowlan 🇦🇺🏝.au GMT+10
There's a security issue with doing this universally
I think it needs to be something sites can knowingly opt into
- 🇧🇪Belgium kriboogh
It's only applied (to all Ajax requests) if you set "supportsCredentials: true" in cors.config
Or do you mean find a means to enable it per Ajax request individually? - 🇦🇺Australia larowlan 🇦🇺🏝.au GMT+10
I mean globally - we could probably read CORS config from the container Params and use that to inject something into Drupal settings
- 🇧🇪Belgium kriboogh
That's what the patch does do no?
// If CORS is enabled, make sure ajax calls send the credentials if needed.
+ $cors_config = \Drupal::getContainer()->getParameter('cors.config');
+ $settings['ajaxCrossDomain'] = [
+ 'withCredentials' => $cors_config['supportsCredentials'] ?? FALSE,
+ ];??
- 🇦🇺Australia larowlan 🇦🇺🏝.au GMT+10
Ha, sorry I didn't look at the merge request - yeah like that exactly 😂 serves me right from replying on my phone
We have the ability to test drupalSettings so I think we should at least add a test to ensure that flag is set.
- Status changed to Needs work
almost 2 years ago 2:57pm 9 February 2023 The Needs Review Queue Bot → tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".
Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.
Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.
- First commit to issue fork.
- Merge request !5427Issue #3338518: send credentials in ajax if configured in CORS settings. → (Closed) created by kriboogh
- Merge request !5428Issue #3338518: send credentials in ajax if configured in CORS settings. → (Closed) created by kriboogh
- 🇧🇪Belgium kriboogh
I think something went wrong here for the merge requests. :/
- Merge request !5429Terminal Issue #3338518: send credentials in ajax if configured in CORS settings. → (Open) created by kriboogh
- 🇧🇪Belgium kriboogh
kriboogh → changed the visibility of the branch 3338518-cors-is-not to hidden.
- 🇧🇪Belgium kriboogh
kriboogh → changed the visibility of the branch 3338518-cors-ajax-101 to hidden.
- Status changed to Needs review
8 months ago 1:01pm 17 May 2024 - 🇧🇪Belgium kriboogh
Added a basic test to see if the drupalSetting is set in javascript if supportsCredentials is set in config.
- Status changed to Needs work
8 months ago 11:32pm 19 May 2024 The Needs Review Queue Bot → tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".
This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.
Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.
- Status changed to Needs review
8 months ago 7:20am 21 May 2024 - Status changed to Needs work
8 months ago 7:27pm 27 May 2024 - 🇺🇸United States smustgrave
Appears MR has a failure. Could it be updated to point to 11.x please as that's the current development branch.
- Status changed to Closed: duplicate
8 months ago 9:00am 29 May 2024 - 🇧🇪Belgium kriboogh
I'll closed this one, and start fresh for 11.x at 3450553, is gonna be easier then trying to rebase all this. work will continue there.
