Raven behind CAS

[istvano]

Hi Guys,

I have a set-up whereby I need to put our sentry under CAS using a reverse-proxy.

my app is avialable:
example.org/app

my sentry is avialable
example.org/sentry

the whole domain is protected by a CAS via a reverse-proxy which uses cookies to store the token for authentication.

The set-up works very well. Altohugh when ravenjs inject the becon into the page the request does not go to my sentry as the Cookies are not sent along the img request. I know this is a security policy issue.

Is there any way to overcome this? I could solve this issue with ajax request by adding Cookie header into the allowed headers ( CORS ) although that does not seem to work for Images

thanks for any suggestion on this.

[mattrobenolt]

There's nothing that is preventing Raven from sending a Cookie as long as the domain is correct, and what you're suggesting, the domains do match. So unless you're specifying the Cookie to only get sent to a specific path, I don't see why this wouldn't work, and without seeing this in practice, I'm not sure what else I can suggest. :(

But inherently, we're not doing anything that wouldn't be covered by normal browser security policies, and those don't prevent Cookies from being sent over images. Cookies are bound to domains and paths, so as long as those check out, it should be fine.

If you're still not sure, I can try to debug if you show me some example http request/responses including the Set-Cookie header from the server.

[chrisirhc]

I just ran into this, it seems that Chrome is treating the request as a cross-origin request and sending the Origin header and skipping cookies (this is default behavior unless withCredentials: true is passed).

I'm not sure why this is happening even though it's a same origin request. Looks like a Chrome bug.
I'm guessing Chrome is doing this as long as there's a hostname and protocol in the request URL.

[chrisirhc]

Could be related to https://code.google.com/p/chromium/issues/detail?id=412163 since I saw that crossOrigin technique in the code here.

Note, this isn't evident in the Firefox browser.