Warm tip: This article is reproduced from serverfault.com, please click
cookies cors javascript apigee preflight

Cross-domain cookies in preflight requests using Apigee

发布于 2020-11-30 13:49:14

Two components:

  1. A React single page app on https://react.mycompany.com
  2. A Apigee API proxy on https://apigee.proxy.com

On login Apigee sets a jwt cookie using the Set-Cookie header:

Set-Cookie: jwt={jwtoken};secure;httponly;path=/;samesite=none

On client side Chrome shows me this cookie for the frame https://react.mycompany.com:

name: jwt
value: XXX
domain: apigee.proxy.com
path: /
httpOnly: true
secure: true
sameSite: none

Now on non-auth requests Apigee checks the presence of the jwt cookie before processing the request.

The cookie is not sent on the OPTIONS preflight request and therefore all calls fail.

On client side we use the fetch() API with credentials: 'include'.

What am I missing here?

Questioner
Moritz Schmitz v. Hülst
Viewed
0
分享
sideshowbarker 2020-12-02 00:03:35

Browsers don’t ever send cookies in preflight OPTIONS requests. So what the question describes is expected behavior. And the reason browsers don’t send cookies in the preflight is because the spec for the CORS protocol requires browsers to exclude cookies and all other standard credentials (e.g., the Authorization header) from the preflight. See https://fetch.spec.whatwg.org/#ref-for-credentials%E2%91%A5, which states:

a CORS-preflight request never includes credentials

…and see also the answer a https://stackoverflow.com/a/50959576/441757.

So the server the preflight is sent to must be configured to allow unauthenticated OPTIONS requests — and must respond to OPTIONS requests with a 200 OK even if a request doesn’t include any cookies or other credentials. That’s a fundamental requirement of the CORS protocol.

热门帖子

1
学英语的朋友们可以来看看 https://langplayground.top/
2
华中科大的计算机技术的在职硕士,职场认可度如何?
3
十兆宽带 100 块钱一个月我是活在 80 年代吗?
4
关于高质量 屏幕共享的问题
5
我是真的受不了打小报告的三八了!
6
怎么管理自己的文件体系
7
[开发者自荐] AirBattery: 在 Mac 端获取所有设备的电量并显示在 Dock 或状态栏上
8
南京移动 IPV6 被停
9
WireGuard 跨国组网失败后,一个新工具的诞生
10
你的 IDEA(2024.1) 在 macOS 上崩吗?

热门github

1
A multi-platform library for OpenGL, OpenGL ES, Vulkan, window and input
2
Dev tool that writes scalable apps from scratch while the developer oversees the implementation
3
shadcn/ui, but for Svelte. ✨
4
The Python Risk Identification Tool for generative AI (PyRIT) is an open access automation framework to empower security professionals and machine learning engineers to proactively find risks in their generative AI systems.
5
Performance-portable, length-agnostic SIMD with runtime dispatch
6
ZK Credo
7
OpenCodeInterpreter: Integrating Code Generation with Execution and Refinement
8
Joplin - the secure note taking and to-do app with synchronisation capabilities for Windows, macOS, Linux, Android and iOS.
9
Mamba is a new state space model architecture showing promising performance on information-dense data such as language modeling, where previous subquadratic models fall short of Transformers. It is based on the line of progress on structured state space models, with an efficient hardware-aware design and implementation in the spirit of FlashAttention.
10
This repository contains System Design resources which are useful while preparing for interviews and learning Distributed Systems
11
Curso para aprender el lenguaje de programación Python desde cero y para principiantes. 75 clases, 37 horas en vídeo, código, proyectos y grupo de chat. Fundamentos, frontend, backend, testing, IA...
12
🎓 Path to a free self-taught education in Computer Science!
13
1️⃣🐝🏎️ The One Billion Row Challenge -- A fun exploration of how quickly 1B rows from a text file can be aggregated with Java
14
A collective list of free APIs
15
📚 Freely available programming books