CORS Proxy: fetch() with credentials: "include" (#66)

adamziel · web-flow · commit db243a74be4c · 2025-03-05T09:40:12.000+01:00
diff --git a/packages/php-wasm/web/src/lib/chunked-decoder.ts b/packages/php-wasm/web/src/lib/chunked-decoder.ts
@@ -47,12 +47,17 @@ export class ChunkedDecoderStream extends TransformStream<
 						}
 
 						// Look for CRLF after chunk size
+						if (buffer.length < chunkBytesNb + 2) {
+							// Not enough data, let's wait for more
+							return;
+						}
 						if (
-							buffer.length < chunkBytesNb + 2 ||
 							buffer[chunkBytesNb] !== 13 || // \r
 							buffer[chunkBytesNb + 1] !== 10 // \n
 						) {
-							return;
+							throw new Error(
+								'Invalid chunk size format. Expected CRLF after chunk size'
+							);
 						}
 
 						// Parse the chunk size
@@ -88,12 +93,15 @@ export class ChunkedDecoderStream extends TransformStream<
 						}
 					} else if (state === 'SCAN_CHUNK_TRAILER') {
 						if (buffer.length < 2) {
+							// Not enough data, let's wait for more
 							return;
 						}
 
 						if (buffer[0] !== 13 || buffer[1] !== 10) {
 							// \r\n
-							throw new Error('Expected CRLF after chunk data');
+							throw new Error(
+								'Invalid chunk trailer format. Expected CRLF after chunk data'
+							);
 						}
 
 						buffer = buffer.slice(2);
diff --git a/packages/php-wasm/web/src/lib/fetch-with-cors-proxy.ts b/packages/php-wasm/web/src/lib/fetch-with-cors-proxy.ts
@@ -18,8 +18,20 @@ export async function fetchWithCorsProxy(
 	try {
 		return await fetch(request1);
 	} catch {
+		// If the developer has explicitly allowed the request to pass the
+		// credentials headers with the X-Cors-Proxy-Allowed-Request-Headers header,
+		// then let's include those credentials in the fetch() request.
+		const headers = new Headers(request2.headers);
+		const corsProxyAllowedHeaders =
+			headers.get('x-cors-proxy-allowed-request-headers')?.split(',') ||
+			[];
+		const requestIntendsToPassCredentials =
+			corsProxyAllowedHeaders.includes('authorization') ||
+			corsProxyAllowedHeaders.includes('cookie');
+
 		const newRequest = await cloneRequest(request2, {
 			url: `${corsProxyUrl}${requestObject.url}`,
+			...(requestIntendsToPassCredentials && { credentials: 'include' }),
 		});
 
 		return await fetch(newRequest, init);
diff --git a/packages/playground/php-cors-proxy/cors-proxy.php b/packages/playground/php-cors-proxy/cors-proxy.php
@@ -19,7 +19,7 @@
     header('Access-Control-Allow-Origin: ' . $origin);
     header('Access-Control-Allow-Credentials: true');
     header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
-    header('Access-Control-Allow-Headers: Accept, Authorization, Content-Type, git-protocol, wp_blog, wp_install');
+    header('Access-Control-Allow-Headers: Accept, Authorization, Content-Type, git-protocol, wp_blog, wp_install, x-cors-proxy-allowed-request-headers');
 }
 if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
     header("Allow: GET, POST, OPTIONS");

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@`
`19`	`19`	`header('Access-Control-Allow-Origin: ' . $origin);`
`20`	`20`	`header('Access-Control-Allow-Credentials: true');`
`21`	`21`	`header('Access-Control-Allow-Methods: GET, POST, OPTIONS');`
`22`		`- header('Access-Control-Allow-Headers: Accept, Authorization, Content-Type, git-protocol, wp_blog, wp_install');`
	`22`	`+ header('Access-Control-Allow-Headers: Accept, Authorization, Content-Type, git-protocol, wp_blog, wp_install, x-cors-proxy-allowed-request-headers');`
`23`	`23`	`}`
`24`	`24`	`if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {`
`25`	`25`	`header("Allow: GET, POST, OPTIONS");`