Skip to content

Instantly share code, notes, and snippets.

@marcgabe15

marcgabe15/CustomRules.js

Forked from fhfaa/CustomRules.js
Created September 8, 2023 16:45
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save marcgabe15/fc8dda1320b879533f22b1edab12730a to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save marcgabe15/fc8dda1320b879533f22b1edab12730a to your computer and use it in GitHub Desktop.
Download ZIP
CORS ALL the things in Fiddler2
Raw
README.md
  • Install Fiddler2
  • Enable Tools > Fiddler Options > HTTPS > Decrypt HTTPS traffic and install the local Root Cert
  • Go to Rules > Customize Rules... or edit the CustomRules.js file in %USERPROFILE%/Documents/Fiddler2/Scripts or similar
  • Add the following near the top, next to the other RulesOption declarations:
public static RulesOption("Force CORS")
var m_ForceCORS: boolean = true;
  • Add the following at the end of the OnBeforeRequest method:
// If it's an OPTIONS request, fake the response and return w/e the client expects.
// NOTE: Methods and Headers are hardcoded. Modify as needed.
if (m_ForceCORS && oSession.oRequest.headers.HTTPMethod == "OPTIONS") { 
	oSession.utilCreateResponseAndBypassServer();
	
	oSession.oResponse.headers.Add("Access-Control-Allow-Origin", oSession.oRequest.headers["Origin"]) ;
	oSession.oResponse.headers.Add("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");			
	oSession.oResponse.headers.Add("Access-Control-Allow-Headers", "Content-Type, Authorization, Accept, Csrf-Token, X-Requested-With, cloudSession, WbeSession, Cookie");
	oSession.oResponse.headers.Add("Access-Control-Max-Age", "1728000");
	oSession.oResponse.headers.Add("Access-Control-Allow-Credentials", "true");
	
	oSession.responseCode = 200;
}
  • Add the following at the end of the OnBeforeResponse method:
// Also add the headers to any real response with an "Origin:" header set
// Again, everything is hardcoded. Modify as needed.
// You could also .Remove() the header and .Add("$header_name", oSession.oRequest.headers["$header_name"])
// to mirrors the values given in the request.
if (m_ForceCORS && oSession.oRequest.headers.Exists("Origin")) { 
	oSession.oResponse.headers.Remove("Access-Control-Allow-Origin");
	oSession.oResponse.headers.Add("Access-Control-Allow-Origin", oSession.oRequest.headers["Origin"]) ;
	
	oSession.oResponse.headers.Remove("Access-Control-Allow-Methods");
	oSession.oResponse.headers.Add("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
	
	oSession.oResponse.headers.Remove("Access-Control-Allow-Headers"); 
	oSession.oResponse.headers.Add("Access-Control-Allow-Headers", "Content-Type, Authorization, Accept, Csrf-Token, X-Requested-With, cloudSession, WbeSession, Cookie");
	
	oSession.oResponse.headers.Remove("Access-Control-Max-Age");
	oSession.oResponse.headers.Add("Access-Control-Max-Age", "1728000");
	
	oSession.oResponse.headers.Remove("Access-Control-Allow-Credentials");
	oSession.oResponse.headers.Add("Access-Control-Allow-Credentials", "true");
	 
	// if (oSession.oRequest.headers.Exists("Cookie")) {
		// oSession.oResponse.headers.Remove("Set-Cookie");
		// oSession.oResponse.headers.Add("Set-Cookie", oSession.oRequest.headers["Cookie"]);
	// }
}
  • Now instruct ST/ExtJS to set withCredentials to true on any outgoing XHR, ideally by Ext.override.
  • In our case the wrapper around Ext.Ajax.request always sets configObj.withCredentials = true; beforehand.
  • Store proxys (among other things probably) are handled separately: Ext.data.proxy.Ajax.prototype.config.withCredentials = true; because screw Ext.override.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment