mirror of
https://github.com/jbranchaud/til
synced 2026-01-03 15:18:01 +00:00
33 lines
1.3 KiB
Markdown
33 lines
1.3 KiB
Markdown
# Allow Cross-Origin Requests To Include Cookies
|
|
|
|
When making a cross-origin fetch request from a client (e.g. browser) to a
|
|
server, all kinds of CORS protections are enforced by the browser. One of those
|
|
protections, by default, is to avoid XSS attacks by not sending credentials
|
|
(e.g. cookies, authorization headers or TLS client certificates) in the request
|
|
or expose credentials to the client JavaScript code.
|
|
|
|
This is controlled by the
|
|
[Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials)
|
|
header.
|
|
|
|
If we want to include things like cookies in the request, then we need to have
|
|
both the client-originating request and the server to agree to allow
|
|
credentials.
|
|
|
|
The client-side fetch will need to specify that credentials should be included:
|
|
|
|
```javascript
|
|
fetch(url, {
|
|
credentials: 'include'
|
|
})
|
|
```
|
|
|
|
The server, either in response to a GET or a preflight request, will need to do
|
|
two things. First, the response headers need to have
|
|
`Access-Control-Allow-Credentials` set to `true`. Second, the
|
|
[`Access-Control-Allow-Origin`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
|
|
will need to name the specific origin (the client). In other words, the allowed
|
|
origin cannot be set to `*`.
|
|
|
|
[source](https://stackoverflow.com/a/24689738/535590)
|