Skip to content

Commit 8b1f4be

Browse files
mvaligurskyMartin Valigursky
andauthored
Add withCredentials option for asset loading (#8983)
Co-authored-by: Martin Valigursky <mvaligursky@snapchat.com>
1 parent 48819ac commit 8b1f4be

4 files changed

Lines changed: 56 additions & 2 deletions

File tree

src/framework/app-base.js

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -809,6 +809,11 @@ class AppBase extends EventHandler {
809809
this.loader.maxConcurrentRequests = props.maxConcurrentRequests;
810810
}
811811

812+
// send asset requests with credentials - applied before preloading so preloaded assets pick it up
813+
if (typeof props.withCredentials === 'boolean') {
814+
this.loader.withCredentials = props.withCredentials;
815+
}
816+
812817
// TODO: remove this temporary block after migrating properties
813818
if (!props.useDevicePixelRatio) {
814819
props.useDevicePixelRatio = props.use_device_pixel_ratio;

src/framework/handlers/loader.js

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -388,6 +388,36 @@ class ResourceLoader {
388388
return http.maxConcurrentRequests;
389389
}
390390

391+
/**
392+
* Sets whether asset requests are sent with credentials. When true, cross-origin requests
393+
* include credentials (cookies, client TLS certificates and HTTP authentication), allowing
394+
* assets to be loaded from an authenticated cross-origin host. The server must respond with a
395+
* non-wildcard `Access-Control-Allow-Origin` and `Access-Control-Allow-Credentials: true`.
396+
* Defaults to false.
397+
*
398+
* Set this before assets start loading (i.e. before {@link AppBase#preload} or
399+
* {@link AssetRegistry#load}). Note this is a process-global setting (it applies to the shared
400+
* HTTP layer), so with multiple applications the last value set wins. It applies to all
401+
* XHR-based requests, which covers the large majority of asset loads.
402+
*
403+
* @type {boolean}
404+
* @example
405+
* // load all assets from an authenticated cross-origin host
406+
* app.loader.withCredentials = true;
407+
*/
408+
set withCredentials(value) {
409+
http.withCredentials = !!value;
410+
}
411+
412+
/**
413+
* Gets whether asset requests are sent with credentials.
414+
*
415+
* @type {boolean}
416+
*/
417+
get withCredentials() {
418+
return http.withCredentials;
419+
}
420+
391421
/**
392422
* Destroys the resource loader.
393423
*/

src/framework/parsers/texture/img.js

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -86,7 +86,11 @@ class ImgParser extends TextureParser {
8686

8787
_loadImage(url, originalUrl, crossOrigin, callback, asset) {
8888
const image = new Image();
89-
if (crossOrigin) {
89+
if (http.withCredentials) {
90+
// an <img> element cannot use the XHR `withCredentials` flag, so 'use-credentials' is
91+
// the equivalent way to send credentials with a cross-origin image request
92+
image.crossOrigin = 'use-credentials';
93+
} else if (crossOrigin) {
9094
image.crossOrigin = crossOrigin;
9195
}
9296

src/platform/net/http.js

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,21 @@ class Http {
6868

6969
static retryDelay = 100;
7070

71+
/**
72+
* The default `withCredentials` value used by requests that don't specify it explicitly in
73+
* their options. When true, cross-origin requests are sent with credentials (cookies, client
74+
* TLS certificates and HTTP authentication). Individual requests can still override this via
75+
* `options.withCredentials`. Defaults to false.
76+
*
77+
* This is a process-global default on the shared {@link http} instance and applies to all
78+
* XHR-based requests (most asset loads). Prefer setting it via
79+
* {@link ResourceLoader#withCredentials}.
80+
*
81+
* @type {boolean}
82+
* @ignore
83+
*/
84+
withCredentials = false;
85+
7186
/**
7287
* The configured concurrency limit. See {@link Http#maxConcurrentRequests}.
7388
*
@@ -456,7 +471,7 @@ class Http {
456471

457472
const xhr = new XMLHttpRequest();
458473
xhr.open(method, url, options.async);
459-
xhr.withCredentials = options.withCredentials !== undefined ? options.withCredentials : false;
474+
xhr.withCredentials = options.withCredentials !== undefined ? options.withCredentials : this.withCredentials;
460475
xhr.responseType = options.responseType || this._guessResponseType(url);
461476

462477
// Set the http headers

0 commit comments

Comments
 (0)