I have my web client deployed at https://web-xxxxxxxx-uw.a.run.app (deployed by Google cloud run) and the backend api deployed at https://api-xxxxxxxx-uw.a.run.app.
The backend here is responsible for setting a httpOnly
secure
cookie but browser won't allow. I am not setting the actual url of the API on the cookie domain, but a domain.
I have gone through some SO posts where it is mentioned that if we want to set cookie from cross urls, then they both must belong to the same domain. And in my case that is .a.run.app
. The backend is setting this domain only but still getting this set-cookie domain attribute was invalid with regards to the current host url
.
https://serverfault.com/questions/153409/can-subdomain-example-com-set-a-cookie-that-can-be-read-by-example-com
Set cookies for cross origin requests
Set-Cookie was blocked because its Domain attribute was invalid with regards to the current host url
This is the cookie:
set-cookie: authToken=eyJ0eXAiOiJKV.1ZmkuY29tIiwiZXhwIj.h7g7jIB4_orn; Path=/; Domain=.a.run.app; Max-Age=864000; Expires=Fri, 09 Apr 2021 13:51:57 GMT; Secure; HttpOnly; SameSite=None
The backend code is written in Spring boot:
ResponseCookie cookie = ResponseCookie.from(AUTH_COOKIE_NAME, token)
.httpOnly(true)
.maxAge(EXPIRATION_TIME_SEC)
.path("/")
.sameSite("None")
.secure(true)
.domain(".a.run.app")
.build();
httpServletResponse.addHeader(HttpHeaders.SET_COOKIE, cookie.toString());
What am I doing wrong here?