Skip to content
This repository was archived by the owner on Jan 11, 2023. It is now read-only.

Clarify assumptions made by preload #1135

Merged
merged 3 commits into from
May 13, 2020
Merged

Clarify assumptions made by preload #1135

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a7aea24
Clarify assumptions made by `preload`
natevaughan Mar 30, 2020
59089e8
Typo fix
natevaughan Apr 30, 2020
cd14807
adjustments
Conduitry May 13, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion site/content/docs/04-preloading.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,12 @@ To fix this, Sapper provides `this.fetch`, which works on the server as well as
</script>
```

Note that you will need to use session middleware such as [express-session](https://github.com/expressjs/session) in your `app/server.js` in order to maintain user sessions or do anything involving authentication.
It is important to note that `preload` may run on either the server or in the client browser. Code called inside `preload` blocks:
- should run on the same domain as any upstream api servers requiring credentials; otherwise `credentials: 'include'` cannot guarantee access to 3rd party session cookies
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't credentials: 'include' send the cookies even to other domains?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@benmccann Doesn't that depend on how a project has their CORS settings configured? I'm pretty new to NodeJS so I might be mistaken

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cookies can't be cross-domain. Cookies from .domain.com will only ever be sent to .domain.com

- should not reference `window`, `document` or any browser-specific objects
- should not reference any api keys or secrets, which will be exposed to the client

If you are using Sapper as an authentication/authorization server, you can use session middleware such as [express-session](https://github.com/expressjs/session) in your `app/server.js` in order to maintain user sessions.


#### this.error
Expand Down