Menu
I make AJAX calls to CORS server, I make many attempts to be able to read cookies returned on response using javascript client side, however, in vain .
response.header('Access-Control-Allow-Origin', '*');
response.header('Access-Control-Allow-Headers', 'X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept, Set-Cookie');
response.header('Access-Control-Expose-Headers', "Set-Cookie");
//------SET COOKIES
response.cookie('SessionId', GeneratorId(64), {
maxAge:3600000,
httpOnly:flase // i disable httpOnly ==> does not work
});
var xhttp=new XMLHttpRequest();
xhttp.open("POST", "http://localhost:9090/api/map", true);
xhttp,send(`{layer:1}`);
//Append another response' header
response.header('Access-Control-Allow-Credentials','true');
// Before xhttp.send , I add another instruction :
xhttp.withCredentials=true;
//Avoid the wildcard on Access-Control-Allow-Origin =>Replace the first header by :
response.header('Access-Control-Allow-Origin', request.get('Origin'));
// Nothing is appended
With all those attempts , xhttp.getResponseHeader('Set-Cookie') still returns null even :
Set-Cookie is assigned to the response header : Access-Control-Expose-Headers .
311
The Access-Control-Expose-Headers response header allows a server to indicate which response headers should be made available to scripts running in the browser, in response to a cross-origin request. Only the CORS-safelisted response headers are exposed by default.
To send cookies to the server, you need to add the "Cookie: name=value" header to your request. To send multiple Cookies in one cookie header, you can separate them with semicolons. In this Send Cookies example, we are sending HTTP cookies to the ReqBin echo URL.
The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later.
TL;DR: the Set-Cookie header is entirely off-limits: you can't access it, even when you include it in Access-Control-Expose-Headers. However, once it's set, and the cookie isn't marked httpOnly, you should be able to access it through document.cookie.
TMI follows:
As documented here,
A response will typically get its CORS-exposed header-name list set by parsing the
Access-Control-Expose-Headersheader. This list is used by a CORS filtered response to determine which headers to expose.
What a CORS filtered response is, is documented here:
A CORS filtered response is a filtered response whose type is "cors", header list excludes any headers in internal response's header list whose name is not a CORS-safelisted response-header name, given internal response's CORS-exposed header-name list, and trailer is empty.
And safelisted headers are subsequently documented here:
Cache-ControlContent-LanguageContent-TypeExpiresLast-ModifiedPragmaAny value in list that is not a forbidden response-header name.
Finally, the list of forbidden response-header names is listed here:
Set-CookieSet-Cookie2
191
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
