I'm using a Rust (Actix) backend and Angular frontend, hosted on separate domains. I've configured CORS on the backend:
let cors = Cors::default()
.allowed_origin(FRONTEND_URL)
.allowed_origin("http://localhost:3000")
.allowed_methods(vec!["GET", "POST"])
.allowed_headers(vec![header::AUTHORIZATION, header::ACCEPT, header::CONTENT_TYPE, header::ACCESS_CONTROL_ALLOW_CREDENTIALS])
.supports_credentials();
Cookies are configured to be secure, httponly, and SameSite=None:
Cookie::build("cookie_name", cookie_value)
.path("/")
.secure(true)
.http_only(true)
.same_site(SameSite::None)
.finish()
On the frontend, I'm using the standard Angular HttpClient to make an API call, using withCredentials: true
:
this.http.get<ResponseObject>(url, {
params: { ... },
withCredentials: true
})
Chrome dev tools shows the Set-Cookie
header in the response, but the cookie is never actually set except when I run both the backend and frontend locally.
I've looked at this, this, this, this, this, and this, trying each of the proposed solutions, but with no success.
What am I missing? What needs to be changed to ensure the cookies are set?