Allow Cross-Origin Requests To Include Cookies
Last updated
Was this helpful?
Last updated
Was this helpful?
When making a cross-origin fetch request from a client (e.g. browser) to a server, all kinds of CORS protections are enforced by the browser. One of those protections, by default, is to avoid XSS attacks by not sending credentials (e.g. cookies, authorization headers or TLS client certificates) in the request or expose credentials to the client JavaScript code.
This is controlled by the header.
If we want to include things like cookies in the request, then we need to have both the client-originating request and the server to agree to allow credentials.
The client-side fetch will need to specify that credentials should be included:
The server, either in response to a GET or a preflight request, will need to do two things. First, the response headers need to have Access-Control-Allow-Credentials
set to true
. Second, the will need to name the specific origin (the client). In other words, the allowed origin cannot be set to *
.