dimanche 14 avril 2019

How to whitelist frontend 3rd party cookies

Having my frontend and backend on different domains, the browser blocks cookies sent between them as 3rd party.

Is there any way to whitelist the cookies programatically, i.e. not by disabling the option in the browser?

More details on what I do:

I'm using the cookie to sent a jwt in a http-only cookie, for authentication.
I'm using react with axios (client) and node.js with express (server), but I believe the issue is language-independent...

On the client side, every request has:
withCredentials = true.

On the server side, the response is built (with node Express) like so:

  res.cookie('token', jsonToken, { httpOnly: true })
     .sendStatus(httpStatus.OK);

and the cors options (using the npm cors package):

const corsOptions = {
  origin: process.env.FRONTEND_URL,
  credentials: true
};

What I tried and didn't work (brace for desperate / nonsense ideas...) :

  • setting the cookie domain to the server domain so that the browser accepts it;
  • adding allowHeaders and exposeHeaders to the cors options on the server, with the following value: ['cookie', 'set-cookie'].



Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)