0

Making a mercure /hub dispaching Updates with symfony 4.4 works fine until I dont try using credentials with mercureAuthorization cookie.

As soon as I add {withCredentials: true} in EventSource, firefox kicks out event source request connection with "CORS missing" (whereas chrome doesn't)

'same origin' policy don't allow consulting 'http://localhost:3000/.well-known/mercure ... ' Reason: CORS header 'Access-Control-Allow-Origin' missing

Plus, I'm supposed to get the mercureAuthorization cookie passed from my page request to the event source request, but it isn't.

Here is my homePage cookie :

Set-Cookie: mercureAuthorization=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJtZXJjdXJlIjp7InN1YnNjcmliZSI6WyJodHRwOlwvXC9ub3RpZnkuY29tXC9wYXJhbmdvblwvdGVhbSJdfX0.e5YOGcOx-s-8nn2lbseqcVlk18dVEvgZIoKrDCEureA; path=/.well-known/mercure; httponly; samesite=strict;

My event source Request

Request URL: http://localhost:3000/.well-known/mercure?topic=http://notify.com/

No Set-Coockie indside.

EDIT: I finally manage to fix it by working on the same domain ! So know I run the mercure server with:

--adress:'www.mydomain.test:3000/.well-known/mercure ... '

Posting from 

'www.mydomain.test/' for exemple

Set-Cookie: 

'return new Cookie('mercureAuthorization', $token, 
  (exp) 0, 
  (path) '/.well-known/mercure', 
  (domain) null, 
  (secure) false, 
  (httponly) true, 
  (raw) false, 
  (same-site) 'Strict'
);'
bycrea
  • 1
  • 1
  • The default behaviour applied by Chrome is slightly more permissive than an explicit SameSite=Lax as it will allow certain cookies to be sent on top-level POST requests. You can see the exact details on the [blink-dev announcement](https://groups.google.com/a/chromium.org/d/msg/blink-dev/AknSSyQTGYs/YKBxPCScCwAJ). This is intended as a temporary mitigation, you should still be fixing your cross-site cookies to use SameSite=None; Secure. – automaticAllDramatic Feb 04 '20 at 09:26
  • Thanks for your help, even though i think i've tried everything from SameSite=none/lax/strict with and without secure. I'll give it a shot one more time just in case. May i need to set-up mercure domain as https? (hard stuff in local env...) – bycrea Feb 07 '20 at 00:03

0 Answers0