Cross domain authentication, ajax request and same origin policy
Concerned version
Version: 1.9.7
Platform: Apache
Summary
In cross domain authentication mode, when making unauthenticated request in handler, after being redirected to the portal, the portal responds with http/401 code, "WWW-Authenticate xxx" and "Access-Control-Allow-Origin: *" headers. But browser fails with "Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’".
Logs
n/a
Backends used
n/a
Possible fixes
- I have commented out the following line https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/blob/v1.9/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm#L1596
- And added the necessary CORS headers to the portal's virtualhost in apache configuration file.
If portal needs to set the "Access-Control-Allow-Origin" maybe the use of "trustedDomains" values of the portal parameter would be a good choice ?
Thank you very much for your work !