Set-Cookie on Browser with Ajax Request via CORS

by

Your AJAX request must be made with the “withCredentials” settings set to true (only available in XmlHttpRequest2 and fetch):

    var req = new XMLHttpRequest();
    req.open('GET', 'https://api.bobank.com/accounts', true); // force XMLHttpRequest2
    req.setRequestHeader('Content-Type', 'application/json; charset=utf-8');
    req.setRequestHeader('Accept', 'application/json');
    req.withCredentials = true; // pass along cookies
    req.onload = function()  {
        // store token and redirect
        let json;
        try {
            json = JSON.parse(req.responseText);
        } catch (error) {
            return reject(error);
        }
        resolve(json);
    };
    req.onerror = reject;

If you want a detailed explanation on CORS, API security, and cookies, the answer doesn’t fit in a StackOverflow comment. Check out this article I wrote on the subject: http://www.redotheweb.com/2015/11/09/api-security.html

More Related Contents:

  1. What is the motivation behind the introduction of preflight CORS requests?
  2. HTTP Cookies and Ajax requests over HTTPS
  3. CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true
  4. Response to preflight request doesn’t pass access control check
  5. Returning redirect as response to XHR request
  6. What does it mean when an HTTP request returns status code 0?
  7. Same origin Policy and CORS (Cross-origin resource sharing)
  8. What security risks exist when setting Access-Control-Allow-Origin to accept all domains?
  9. Does an HTTP Status code of 0 have any meaning?
  10. WebSockets protocol vs HTTP
  11. CORS issue while making an Ajax request for oauth2 access token
  12. API Gateway CORS: no ‘Access-Control-Allow-Origin’ header
  13. Can an AJAX response set a cookie?
  14. Cross-Domain AJAX doesn’t send X-Requested-With header
  15. Access denied in IE 10 and 11 when ajax target is localhost
  16. $http.get is not allowed by Access-Control-Allow-Origin but $.ajax is
  17. What’s to stop malicious code from spoofing the “Origin” header to exploit CORS?
  18. CORS cookie credentials from mobile WebView loaded locally with file://
  19. Ajax call bug with Chrome new version 73.0.3683.75?
  20. Returning redirect as response to Ajax (fetch, XHR, etc.) request
  21. Why is the browser not setting cookies after an AJAX request returns?
  22. Enable CORS in Golang
  23. Using the HTTP Range Header with a range specifier other than bytes?
  24. Web sockets make ajax/CORS obsolete?
  25. Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at
  26. Cross-Origin Request Blocked
  27. How to block external http requests? (securing AJAX calls)
  28. phonegap: cookie based authentication (PHP) not working [webview]
  29. Angular 2 HTTP Progress bar
  30. GET vs POST in AJAX?

Leave a Comment