Home/ Questions/Q 6795059
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T18:17:50+00:00

I’m writing some code that makes an AJAX request to our web server. Our

  • 0

I’m writing some code that makes an AJAX request to our web server. Our server runs some logic and then responds with some JSON. It may also respond with a set-cookie header:

Set-Cookie: our_organisation=[uuid]; domain=.our_organisation.com; path=/; expires=[soon]

It works in Chrome and Safari as far as I can tell, but not in Firefox. Firefox will accept the cookie if it’s an image request instead. Am I doing something wrong here?

I already had a problem where I couldn’t read the AJAX response on the client side in Firefox; this was fixed by setting Access-Control-Allow-Origin: * in the response header.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is a cross-site XMLHttpRequest?

    If so, per http://dev.w3.org/2006/webapi/XMLHttpRequest-2/ withCredentials defaults to false so the “credentials flag” used for CORS is set to false, and then per http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html the “block cookies” flag is set during the HTTP get, and per http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#fetch that means Set-Cookie headers are ignored. Sounds like Chrome and Safari are just not following the specs here.

    You can set withCredentials = true on the XHR object to send cookies. But note that if you do that you have to list an actual origin in Access-Control-Allow-Origin; you can’t just use *.

    • 0