Add option to remove the 'secure' attribute from cookies #1166
Conversation
|
The Travis run is failing on node 0.10/0.12, however that's unrelated to this PR - see #1167. |
|
👍 +1 for this, any plans if this will be merged and releases? |
|
+1 for PR (option Before the PR my current workaround is: proxyTable: {
'/api': {
target: 'https://xxx',
// https://stackoverflow.com/questions/35686091/how-can-i-proxy-to-a-ssl-endpoint-with-the-webpack-dev-server-proxy
secure: false,
changeOrigin: true,
cookieDomainRewrite: '',
// https://github.com/nodejitsu/node-http-proxy/pull/1166
onProxyRes: (proxyRes) => {
let removeSecure = str => str.replace(/; Secure/i, '')
let set = proxyRes.headers['set-cookie']
if (set) {
let result = Array.isArray(set)
? set.map(removeSecure)
: removeSecure(set)
proxyRes.headers['set-cookie'] = result
}
}
}
} |
|
Looking forward for this one to be merged! |
This allows cookies proxied from HTTPS sites to be used by a non-HTTPS localhost development environment. Fixes http-party#1165.
edmorley
force-pushed
the
cookie-remove-secure
branch
from
eb86fa1 to
f373f17
Compare
|
I've rebased this on @jcrugzz / @indexzero I don't suppose you could take a look when you have a spare moment? (Tomorrow will be the one-year anniversary of this PR hehe :-)) |
|
@jcrugzz, sorry to pester - but would you mind taking a look at this PR? :-) |
|
Is there anything we can do to help with the review/merge of this? :-) |
|
There's still people who would like this, any update? :) |
|
Update for previous comment #1166 (comment) Option 1: remove 'Secure', 'SameSite' from 'set-cookie'
(Added 'SameSite=None' removal as it requires 'Secure', says MDN) if we remove 'Secure', 'Samesite' should be removed too proxyTable: {
'/api': {
target: 'https://xxx',
// https://stackoverflow.com/questions/35686091/how-can-i-proxy-to-a-ssl-endpoint-with-the-webpack-dev-server-proxy
secure: false,
changeOrigin: true,
cookieDomainRewrite: '',
// https://github.com/nodejitsu/node-http-proxy/pull/1166
onProxyRes: (proxyRes) => {
let removeSecure = str => str.replace(/; Secure|; SameSite=None/gi, '')
let set = proxyRes.headers['set-cookie']
if (set) {
let result = Array.isArray(set)
? set.map(removeSecure)
: removeSecure(set)
proxyRes.headers['set-cookie'] = result
}
}
}
}Option 2: launch an https localhost with webpack-dev-server // .gitignore
+build/ssl/server.key
+build/ssl/server.cert// build/dev-server.js
-var uri = 'http://localhost:' + port
+var uri = 'https://localhost:' + port
// ...
-module.exports = app.listen(port, function (err) {
+var server = require('./ssl')(app)
+module.exports = server.listen(port, function (err) {// build/ssl/http.js
// https://stackoverflow.com/questions/22453782/nodejs-http-and-https-over-same-port
- server.http = http.createServer(handler);
+ // server.http = http.createServer(handler);
+ server.http = http.createServer((req, res) => {
+ res.writeHead(301, { "Location": "https://" + req.headers['host'] + req.url });
+ res.end();
+ });// build/ssl/index.js
var cp = require('child_process')
var fs = require('fs')
var http = require('./http')
// turn on https with webpack-dev-server
module.exports = app => {
try {
fs.accessSync('build/ssl/server.key')
fs.accessSync('build/ssl/server.cert')
} catch (err) { // not exists
// https://superuser.com/questions/226192/avoid-password-prompt-for-keys-and-prompts-for-dn-information
cp.execSync(`openssl req \
-new \
-newkey rsa:4096 \
-days 365 \
-nodes \
-x509 \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
-keyout build/ssl/server.key \
-out build/ssl/server.cert`)
}
// https://stackoverflow.com/questions/30957793/nodejs-ssl-bad-password-read
var server = http.createServer({
key: fs.readFileSync('build/ssl/server.key'),
cert: fs.readFileSync('build/ssl/server.cert')
}, app)
return server
} |
|
Now with the can i say this just a loophole |
|
Was this subscription before or after my be here. And carry myself highest code of conduct. I do appoligize. |
|
Closing this PR since I no longer use this project, and want to clean up my PR list (this is the oldest unmerged PR I have, at 6 years old...). |
This allows cookies proxied from HTTPS sites to be used by a non-HTTPS localhost development environment.
A new
removeCookieProperty()helper has been added since the existingrewriteCookieProperty():=, and changing that would break the current implemention)Fixes #1165.