When receiving AJAX responses that contain Set-Cookie headers from a different origin/domain, by default these headers conflict with the browser's same origin policy and are rejected/not set. We must specify withCredentials: true or similar flags on the request to allow for this (e.g. to receive a CSRF token as a cookie that we can then read back and attach to each POST request):
- XMLHttpRequest
withCredentials: true- https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials
- axios
withCredentials: true- https://flaviocopes.com/axios-credentials/
- fetch
credentials: 'include'- https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#including_credentials