[MDL-50107] Allow Cross-Site requests on token.php - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.8.5, 2.9, 3.0
Fix Version/s: 2.8.7, 2.9.1
Component/s: Web Services
Labels:
- ci
- triaged

Affected Branches:
MOODLE_28_STABLE, MOODLE_29_STABLE, MOODLE_30_STABLE
Fixed Branches:
MOODLE_28_STABLE, MOODLE_29_STABLE
Pull from Repository:
git://github.com/jleyva/moodle.git
Pull Master Branch:
~~MDL-50107~~-master
Pull Master Diff URL:
https://github.com/jleyva/moodle/compare/17abbfb...MDL-50107-master
Documentation link:
https://docs.moodle.org/dev/Web_service_API_functions#Web_service_protocols
Testing Instructions:
Hide

In your Moodle site enable "Mobile services": Plugins ► Web Services ► Mobile

Please, use the attached cors.html file for testing.

You should open that file in a browser (chrome, safari or firefox) using the "File -> Open file" an ensure that the file is opened under the file:// protocol

Enter your site details and your username/password and click Test!

Under the Response.. text you should see a json encoded string contained a generated wstoken
Show
In your Moodle site enable "Mobile services": Plugins ► Web Services ► Mobile Please, use the attached cors.html file for testing. You should open that file in a browser (chrome, safari or firefox) using the "File -> Open file" an ensure that the file is opened under the file:// protocol Enter your site details and your username/password and click Test! Under the Response.. text you should see a json encoded string contained a generated wstoken

Description

All the WS calls declare the header 'Access-Control-Allow-Origin: *'; however token.php does not. But that last one is used to initiate the authenticate process with Moodle (HEAD request) which is blocked by the browsers.

To replicate, add a site with a browser that did not disable CORS.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

cors.html
1 kB
11/Jun/15 12:56 AM

Issue Links

has a non-specific relationship to

MDL-47545 Enable cross origin requests in the Web Service REST server

Closed

will help resolve

MDL-50108 Allow cross domain access for token.php page

Closed

Activity

People

Assignee:: Juan Leyva

Reporter:: Frédéric Massart

Peer reviewer:: Frédéric Massart

Integrator:: Eloy Lafuente (stronk7)

Tester:: Rajesh Taneja

Participants:: CiBoT, Dan Poltawski, Eloy Lafuente (stronk7), Frédéric Massart, Juan Leyva, Rajesh Taneja

Component watchers:: Juan Leyva, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 05/May/15 3:07 AM

Updated:: 16/Oct/15 12:57 AM

Resolved:: 19/Jun/15 7:19 AM

Fix Release Date:: 6/Jul/15