The csrf cookie sent by my backend seems to be ignored by browsers.
The request is being made via Angular (2) from http://localhost.mydomain.com:4200 like so:
get() {
let headers = new Headers({
'Content-Type' : 'application/json',
'withCredentials' : true
});
let options = new RequestOptions({headers : headers});
return this.http.post('https://api.mydomain.com', {
o : 'csrf',
m : 'get',
p : {}
}, options)
.map((res: Response) => {
console.log('response received: ', res)
})
.catch((err: any) => {
console.log('error received: ', err);
return Observable.throw(err);
});
}
The request is being received by AWS API Gateway/Lambda running Express 4.x and sent back as:
res.cookie('csrf', token, {domain : '.mydomain.com'});
Setting cookies on xhr responses should be fine. Because both the request and response are subdomains of mydomain.com I shouldn't need the withCredentials option (though, as shown, I tried sending it anyway). The response is received and the header is there. It's just not being set.
It's being ignored in Chrome, Firefox and IE so I'm sure the problem is I'm missing something obvious :)