Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Hopefully this is simple to answer.
With a credentialed request in XHR2, which cookies are sent?
I’ve been following the MDN article on credentialed requests, and it shows that the cookie pageAccess=2 is sent with the request. However it doesn’t explain where that cookie comes from, and why that cookie specifically is being sent. Is it simply that all cookies set by the page are sent in any credentialed request?
From the HTML5 Rocks page on CORS:
I assume “any cookies” means “all cookies” (probably subject to a HTTPS-only flag on the cookie), since there is no mechanism to specify cookies with XHR2.
The cookies that get sent are the cookies that were set by the remote domain: if
foo.comsends a request a credentialed request tobar.com, any cookies set bybar.comare sent. To put this in practical terms, supposefacebook.comhas a CORS-aware API that requires you to be logged in to use. I’ve logged in to Facebook earlier in my browser session, but now I’m browsingfoo.com, which is going to use Facebook’s API on my behalf.foo.comasks th ebrowser to send a cross-domain request tofacebook.comalong with all myfacebook.comcookies so Facebook knows who I am and that I’ve already authenticated to Facebook.