diff --git a/README.md b/README.md index 882e495..4bb23dd 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ and pairing with smart people at Hashrocket. For a steady stream of TILs, [sign up for my newsletter](https://tinyletter.com/jbranchaud). -_966 TILs and counting..._ +_967 TILs and counting..._ --- @@ -131,6 +131,7 @@ _966 TILs and counting..._ ### Devops - [Aliasing An Ansible Host](devops/aliasing-an-ansible-host.md) +- [Allow Cross-Origin Requests To Include Cookies](devops/allow-cross-origin-requests-to-include-cookies.md) - [Allow HTTPS Through Your UFW Firewall](devops/allow-https-through-your-ufw-firewall.md) - [Check The Status of All Services](devops/check-the-status-of-all-services.md) - [Check The Syntax Of nginx Files](devops/check-the-syntax-of-nginx-files.md) diff --git a/devops/allow-cross-origin-requests-to-include-cookies.md b/devops/allow-cross-origin-requests-to-include-cookies.md new file mode 100644 index 0000000..d78b770 --- /dev/null +++ b/devops/allow-cross-origin-requests-to-include-cookies.md @@ -0,0 +1,32 @@ +# Allow Cross-Origin Requests To Include Cookies + +When making a cross-origin fetch request from a client (e.g. browser) to a +server, all kinds of CORS protections are enforced by the browser. One of those +protections, by default, is to avoid XSS attacks by not sending credentials +(e.g. cookies, authorization headers or TLS client certificates) in the request +or expose credentials to the client JavaScript code. + +This is controlled by the +[Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials) +header. + +If we want to include things like cookies in the request, then we need to have +both the client-originating request and the server to agree to allow +credentials. + +The client-side fetch will need to specify that credentials should be included: + +```javascript +fetch(url, { + credentials: 'include' +}) +``` + +The server, either in response to a GET or a preflight request, will need to do +two things. First, the response headers need to have +`Access-Control-Allow-Credentials` set to `true`. Second, the +[`Access-Control-Allow-Origin`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin) +will need to name the specific origin (the client). In other words, the allowed +origin cannot be set to `*`. + +[source](https://stackoverflow.com/a/24689738/535590)