You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
AngularTokenInterceptor should not use match test when apiBase configuration is blank or null. This breaks CORS requests running through the pipeline and also leaks data to outside servers.
What is the motivation / use case for changing the behavior?
Breaks CORS requests by adding unacceptable request headers.
Leaks tokens outside of authentication domain.
Environment
Angular-Token version: 6.0.4 (still an issue in current)
Angular version: 7.0.3
Bundler
Angular CLI (Webpack)
Webpack
SystemJS
Browser:
[ x ] Chrome (desktop) version XX
[ x ] Chrome (Android) version XX
Chrome (iOS) version XX
[ x ] Firefox version XX
Safari (desktop) version XX
Safari (iOS) version XX
IE version XX
Edge version XX
Others:
Not sure the best way to fix this, but there needs to be some way to prevent tokens from being appended to every request going through the pipeline when the api base is set to "" which will be the default in 95% of cases.
The text was updated successfully, but these errors were encountered:
Not sure the best way to fix this, but the default configuration is insecure and breaks CORS requests where servers do not accept the headers which are being added to the request.
In my case, I cannot change the API base to a specific URL because we are deploying the same code across different subdomains. Also, setting the API base at runtime has implications for AOT compilation. I think the default configuration should be that if a request is to a host on a different domain that a flag has to be set to specifically enable CORS authentication. Alternatively, having a blob type check for whitelist and blacklisting of URLS might work.
I'm submitting a...
Current behavior
AngularTokenInterceptor sends headers to outside domain (CORS) when apibase is null or blank. This breaks CORS requests.
https://github.com/neroniaky/angular-token/blob/master/projects/angular-token/src/lib/angular-token.interceptor.ts#L23
Expected behavior
AngularTokenInterceptor should not use match test when apiBase configuration is blank or null. This breaks CORS requests running through the pipeline and also leaks data to outside servers.
What is the motivation / use case for changing the behavior?
Environment
Angular-Token version: 6.0.4 (still an issue in current)
Angular version: 7.0.3
Bundler
Browser:
Others:
Not sure the best way to fix this, but there needs to be some way to prevent tokens from being appended to every request going through the pipeline when the api base is set to "" which will be the default in 95% of cases.
The text was updated successfully, but these errors were encountered: