mercredi 1 août 2018

JavaScript POST request doesn't contain cookies

I'm making a POST request to my own server using the web's native fetch.

When I use fetch, the response contains neither cookies that the server adds to the response nor cookies that the AWS ELB is adding for session stickiness.

Using curl I can confirm the cookies are being added to the response (values redacted and some unncessary fields removed):

curl -v -X POST -H "Authorization: token xxx" myserver.com
* Trying <IP>
* TCP_NODELAY set
* Connected to myserver.com (<IP>) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: ...
> POST endpoint HTTP/1.1
> Host: myserver.com
> User-Agent: curl/7.54.0
> Accept: */*
> Authorization: token xxx
> 
< HTTP/1.1 201 Created
< access-control-allow-credentials: true
< access-control-allow-headers: Authorization
< access-control-allow-origin: http://localhost:3000
< content-security-policy: frame-ancestors 'self'; report-uri /hub/security/csp-report; default-src 'none'
< content-type: text/plain
< date: Wed, 01 Aug 2018 19:30:18 GMT
< server: TornadoServer/5.1
< set-cookie: my-custom-cookie=c00kie; Path=/
< Set-Cookie: AWSELB=<AWS_COOKIE>;PATH=/
< Content-Length: 177
< Connection: keep-alive
< 
* <Response>

When I use fetch, however, the response is this:

fetch(`https://myserver.com/endpoint`, {
            method: 'POST',
            headers: headers,
            credentials: 'include',
     })

//
access-control-allow-credentials: true
access-control-allow-headers: Authorization
access-control-allow-origin: http://localhost:3000
Connection: keep-alive
Content-Length: 177
content-security-policy: frame-ancestors 'self'; report-uri 
/hub/security/csp-report; default-src 'none'
content-type: text/plain
date: Wed, 01 Aug 2018 19:21:58 GMT
server: TornadoServer/5.1
x-jupyterhub-version: 0.9.1

(Value is taken from the Chrome console Network tab—I'm unable to post images)

I'm assuming this has to do with CORS—the fetch request is coming from a browser. However, I've set credentials: 'include' on the fetch request as per this: https://developer.mozilla.org/en-US/docs/Web/API/Request/credentials

How can I configure fetch to allow for cookies to be sent and received cross-origin?




Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)