abdullah/til
1
0
Fork 0
mirror of https://github.com/jbranchaud/til synced 2026-01-03 07:08:01 +00:00
Code Issues Projects Releases Wiki Activity

Add Allow Cross-Origin Requests To Include Cookies as a devops til

Browse Source
This commit is contained in:
jbranchaud
2020-11-30 17:06:54 -06:00
parent 0615822fb2
commit d3eac4bfa4
2 changed files with 34 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -9,7 +9,7 @@ and pairing with smart people at Hashrocket.
For a steady stream of TILs, [sign up for my newsletter](https://tinyletter.com/jbranchaud).
_966 TILs and counting..._
_967 TILs and counting..._
---
@@ -131,6 +131,7 @@ _966 TILs and counting..._
### Devops
- [Aliasing An Ansible Host](devops/aliasing-an-ansible-host.md)
- [Allow Cross-Origin Requests To Include Cookies](devops/allow-cross-origin-requests-to-include-cookies.md)
- [Allow HTTPS Through Your UFW Firewall](devops/allow-https-through-your-ufw-firewall.md)
- [Check The Status of All Services](devops/check-the-status-of-all-services.md)
- [Check The Syntax Of nginx Files](devops/check-the-syntax-of-nginx-files.md)

32
devops/allow-cross-origin-requests-to-include-cookies.md Normal file
View File

@@ -0,0 +1,32 @@
# Allow Cross-Origin Requests To Include Cookies
When making a cross-origin fetch request from a client (e.g. browser) to a
server, all kinds of CORS protections are enforced by the browser. One of those
protections, by default, is to avoid XSS attacks by not sending credentials
(e.g. cookies, authorization headers or TLS client certificates) in the request
or expose credentials to the client JavaScript code.
This is controlled by the
[Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials)
header.
If we want to include things like cookies in the request, then we need to have
both the client-originating request and the server to agree to allow
credentials.
The client-side fetch will need to specify that credentials should be included:
```javascript
fetch(url, {
credentials: 'include'
})
```
The server, either in response to a GET or a preflight request, will need to do
two things. First, the response headers need to have
`Access-Control-Allow-Credentials` set to `true`. Second, the
[`Access-Control-Allow-Origin`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
will need to name the specific origin (the client). In other words, the allowed
origin cannot be set to `*`.
[source](https://stackoverflow.com/a/24689738/535590)