Skip to content

Latest commit

 

History

History
32 lines (25 loc) · 1.33 KB

allow-cross-origin-requests-to-include-cookies.md

File metadata and controls

32 lines (25 loc) · 1.33 KB

Allow Cross-Origin Requests To Include Cookies

When making a cross-origin fetch request from a client (e.g. browser) to a server, all kinds of CORS protections are enforced by the browser. One of those protections, by default, is to avoid XSS attacks by not sending credentials (e.g. cookies, authorization headers or TLS client certificates) in the request or expose credentials to the client JavaScript code.

This is controlled by the Access-Control-Allow-Credentials header.

If we want to include things like cookies in the request, then we need to have both the client-originating request and the server to agree to allow credentials.

The client-side fetch will need to specify that credentials should be included:

fetch(url, {
  credentials: 'include'
})

The server, either in response to a GET or a preflight request, will need to do two things. First, the response headers need to have Access-Control-Allow-Credentials set to true. Second, the Access-Control-Allow-Origin will need to name the specific origin (the client). In other words, the allowed origin cannot be set to *.

source