Skip to content

CORS + Http Only Cookies + Fetch + WithCredentials #150

New issue
New issue
Open
Open
CORS + Http Only Cookies + Fetch + WithCredentials#150
Assignees
brauliodiez
Labels
infrastructure
@brauliodiez

Description

@brauliodiez
brauliodiez
opened on Jul 9, 2017

As soon as we get a real login + cookies + cors, check how we can make fetch call including the token httpOnly security token.

In theory it should be something straight forward:

fetch('https://example.com', {
  credentials: 'include'  
})

https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch

https://security.stackexchange.com/questions/53359/are-httponly-cookies-submitted-via-xmlhttprequest-with-withcredentials-true

The second question is: will the HTTPOnly cookie be submitted to the token endpoint by the browser with my XHR if I set withCredentials=True?

Yes it will. HTTPOnly protects from JavaScript itself on the client, it doesn't affect HTTP requests.

Metadata

Metadata

Assignees

Labels

infrastructure

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions