I am on a website https://aaa.shared.com
. This website (call it A
) sends an xhr
request to url https://zzz.shared.com/some/path
(website Z
) and receives a response with the following headers:
access-control-allow-credentials: true
access-control-allow-origin: aaa.shared.com
set-cookie: foo=bar; expires=Fri, 01 Jan 2100 00:00:00 GMT; path=/; secure; samesite=none; httponly
(I followed answer on this question to add access-control
headers)
Now, what I would expect is that whenever I am on both A or Z, whenever a request goes to Z (cross-origin or same-origin, what matters is URL of the request) browser would add the cookie, but it doesn't! Moreover, I cannot see it being set in browser Developer Tools (F12 -> Application -> Cookies). I am using Chrome, but aiming for a cross browser solution.
What am I missing? I am finding it really hard to find some elaborate information on how Set-Cookie
header works when requesting a different origin.
EDIT: rowan_z
originally suggested to replace samesite=lax
to samesite=none
, as A and Z in the first version of this question were completely separate domains (shared only .com
part). I tried it and it didn't help. But now I realise that they are actually regarded as SameSite
, because they are on the different subdomains of shared.com
domain. So now I believe that samesite=lax
should have worked here as well.
UPDATE:
In the end, I just moved the application aaa.shared.com
under same subdomain with some path zzz.shared.com/aaa/path
, as dealing with cookies and CORS is really tough. Also, configuring it to work with localhost
adds extra complications.