Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

CORS cookie not sent in Chrome

I have set up a simple file upload form using jQuery's ajax call to a different domain. The browser has a cookie for the domain, and this cookie is sent with the request in Firefox. However, the cookie is not present in Chrome, resulting in failure to log in. I have verified that the cookie does exist in Chrome, its just not sent with the request.

The ajax call: Some of this might not be necessary. It was added attempting related solutions and left to demonstrate those attempts.

<head>
    <script src="jquery-2.1.1.min.js"></script>
</head>

<form enctype="multipart/form-data" id="file" method="POST">
    <input name="file" type="file" />
    <input name="Submit" type="button" id="upload"/>
</form>

<script type="text/javascript">
    $.support.cors = true

    $('input#upload').click(function(){
        var formData = new FormData($('form#file')[0]);

        .ajax({
            url: 'http://accounts.mysite.dev/file/saveasset',
            type: 'POST',
            data: formData,
            cache: false,
            contentType: false,
            processData: false,
            xhrFields: {
                withCredentials: true
            },
            crossDomain: true
        });
    });
</script>

Firefox sends the correct headers, including the user's cookie

POST /file/saveasset HTTP/1.1
Host: accounts.mysite.dev
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://phptest/htmltest/fileUpload.html
Content-Length: 8032
Content-Type: multipart/form-data; boundary=---------------------------4450073521062221055385143281
Origin: http://phptest
Cookie: Accounts=somecookiestuff
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

But Chrome doesn't

POST /file/saveasset HTTP/1.1
Host: accounts.mysite.dev
Content-Length: 7981
Accept: */*
Origin: http://phptest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/34.0.1847.116 Chrome/34.0.1847.116 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryGyMYxvKgEKWfBR5x
Referer: http://phptest/htmltest/fileUpload.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8

I believe that the server is setup correctly to allow this origin and credentials, but they aren't even sent in Chrome's request. In case it is relevant, my server (php w/Zend) sets

$this->_response->setHeader('Access-Control-Allow-Origin', 'http://phptest');
$this->_response->setHeader('Access-Control-Allow-Credentials', 'true');

I do not see any OPTION preflight request on the server.

Why isn't Chrome sending my cookie?

like image 926
Irate Pirate Avatar asked Jun 11 '14 23:06

Irate Pirate


1 Answers

Check if Chrome is set to block 3rd party cookies:

Menu → Settings → Show Advanced Settings... → Privacy: Content Settings

Make sure "Block third party cookies and site data" is unchecked. Or, if you have something else blocking 3rd party cookies disable that too.

Had this same problem doing cross-site JSONP requests, the cookies are not sent along on any tag requests across domains.

like image 105
cnight Avatar answered Oct 22 '22 00:10

cnight