|
OrangeFactor is now behind SSO, so cross-origin requests to the API
must use `withCredentials` to ensure the session cookie is sent if
it exists. OrangeFactor's API permits this via appropriately set
`Access-Control-Allow-{Origin,Credentials}` headers.
Users will also now be reminded about the need to sign in via
OrangeFactor first.
Unfortunately there's no way to catch the SSO HTTP 302 separately
from other failure modes, since:
(a) the `XMLHttpRequest` spec doesn't allow for telling if a request
redirected
(b) the workaround (sniffing content-type of the response and seeing
if it's `text/html` rather than `application/json`) isn't possible
since BMO's CSP blocks the request to auth0.com.
...however this extension is going to be replaced once OrangeFactor
is decommissioned, so meh.
The redundant hiding of `#orange-graph` has also been removed.
|
