Description
Currently, cookie parameters and authorizations fail to be applied in the browser, though it succeeds in Node. This is due to the fact that browsers bar applications from setting or mutating the Cookie request header arbitrarily(citation needed), while Node doesn't particularly care what you do with the header.
Here's some solutions that I came up with for Client/UI/Editor.
Possible solutions
- Use
document.cookieto set the page's cookie content, send those cookies to another origin withfetch({ withCredentials: 'include' }), then put the original cookies back.
This approach would work, but it's quite hacky, and could cause problems for complex applications that use our library. It would not work in IE or Safari, since they don't support withCredentials, which is bad.
- Add an optional request proxy server option, and provide a server implementation that forges cookies for Swagger-Client.
This would only be needed when a user wants to use cookie parameters, but would require the user to maintain a server instance in order for their requests to work. (Or we maintain one.)
- Provide Swagger-UI and Swagger-Editor variants packaged within Electron instead of the browser, which bypass web security restrictions and allow arbitrary cookie values.
This is how Postman works.
- Provide Swagger request helper browser extensions that are capable of bypassing security policies.
This could be relatively straightforward: expose a Swagger-Client interface through an extension, and then call that interface instead of the Swagger-Client that comes with distributions of Swagger-UI/Swagger-Editor.
- Label as
wontfixfor browsers.