Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What exactly does the Access-Control-Allow-Credentials header do?

Tags:

http-headers

cors

I'm trying to understand how to use CORS and am confused about what the Access-Control-Allow-Credentials header does.

The documentation says

Indicates whether or not the response to the request can be exposed when the credentials flag is true.

But I don't understand what the response being "exposed" means.

Can anyone explain what this header being set to true (in conjunction with the credentials flag being set to true) actually does?

like image 650
Nate Avatar asked Jul 10 '14 22:07

Nate

People also ask

What does Access-Control allow credentials do?

The Access-Control-Allow-Credentials response header tells browsers whether to expose the response to the frontend JavaScript code when the request's credentials mode ( Request. credentials ) is include . When a request's credentials mode ( Request.

What is Access-Control expose headers?

The Access-Control-Expose-Headers response header allows a server to indicate which response headers should be made available to scripts running in the browser, in response to a cross-origin request. Only the CORS-safelisted response headers are exposed by default.

Can HTTP headers alone restrict or allow access to resources from specified origins?

HTTP headers alone cannot restrict or allow access to resources from specified origins.

1 Answers

By default, CORS does not include cookies on cross-origin requests. This is different from other cross-origin techniques such as JSON-P. JSON-P always includes cookies with the request, and this behavior can lead to a class of vulnerabilities called cross-site request forgery, or CSRF.

In order to reduce the chance of CSRF vulnerabilities in CORS, CORS requires both the server and the client to acknowledge that it is ok to include cookies on requests. Doing this makes cookies an active decision, rather than something that happens passively without any control.

The client code must set the withCredentials property on the XMLHttpRequest to true in order to give permission.

However, this header alone is not enough. The server must respond with the Access-Control-Allow-Credentials header. Responding with this header to true means that the server allows cookies (or other user credentials) to be included on cross-origin requests.

You also need to make sure your browser isn't blocking third-party cookies if you want cross-origin credentialed requests to work.

Note that regardless of whether you are making same-origin or cross-origin requests, you need to protect your site from CSRF (especially if your request includes cookies).

like image 107
monsur Avatar answered Oct 08 '22 20:10

monsur
Sign in to Comment

Related questions

What security risks exist when setting Access-Control-Allow-Origin to accept all domains?
What is Cache-Control: private?
Set HTTP header for one request
Easy way to test a URL for 404 in PHP?
Set cookies for cross origin requests
Setting HTTP headers
Why is Cache-Control attribute sent in request header (client to server)?
What is HTTP "Host" header?
Can't get rid of header X-Powered-By:Express
In what cases will HTTP_REFERER be empty
Custom header to HttpClient request
How does "304 Not Modified" work exactly?
How to remove ASP.Net MVC Default HTTP Headers?
Difference between Pragma and Cache-Control headers?
Is REST DELETE really idempotent?
what’s the difference between Expires and Cache-Control headers?
What's the difference of $host and $http_host in Nginx
How big can a user agent string get?
What is q=0.5 in Accept* HTTP headers?
Getting HTTP code in PHP using curl

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!