AlexAtkinson/CORS.md

Last active May 29, 2024 20:58

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/AlexAtkinson/28d694866ce134a10d1a356ada244558.js"></script>
Save AlexAtkinson/28d694866ce134a10d1a356ada244558 to your computer and use it in GitHub Desktop.

Download ZIP

A CORS Cheat...

Raw

CORS.md

CORS -- Just the edge knowledge

localhost

To set cookies on the localhost, either have a self signed cert setup (see refs), or exclude the 'secure', and 'sameSite' directives.

CORS

Be aware of:
- forbidden headers
  - These are headers that are instrumented by the client/server and that cannot be set or modified.
- safelisted headers (simple response headers)

⚠️ Ensure the withCredentials XHR property is set on the server to allow cross-origin requests to set cookies. Or, if using fetch(), set credentials: "include"

Set-Cookie Directives

domain

must have at least two periods (.) or clients will treat it as invalid.
🚩 the leading period sometimes seen in documentation exists only to support old browsers. Modern browsers, if the domain directive is included, will make a cookie available to the domain and all subdomains.
⚠️ to set a cookie only for a specific domain and not subdomains, exclude the 'domain' directive.

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment