0

I am trying to make a CORS request with credentials(Cookies attached) and Chrome is not attaching the Cookie to my request. I have set the cookie to a sub-domain of the existing page and i could observe it is set successfully from the Cookie manager.

I do not have this problem with Chrome 78th version(latest version). But for the previous versions, I have this problem(I have checked 75 and 77). As well as i do not have any problem with other major browsers also. They also attach cookies without a problem.(I have tested my code with Firefox, IE, Opera and Edge)

This how I have set the Cookie from external service end.

res.setHeader('Set-Cookie','cdn-token=exp3header_same-site-none; domain=.local.com; path=/; SameSite=None;');

Complete sample code base can be found in following links:

External service - https://github.com/bhanukayapa/cors-backend.git

Front-end application - https://github.com/bhanukayapa/cors-angular-frontend.git

Can someone please explain the root cause for this problem? I checked Chrome release notes also. I could not find and bug fix or improvement related to this. Thanks in advance.

Bhanuka Yapa
  • 1
  • 2
  • 1
    Please include the code you're using to make the request or even better, link to a page that demonstrates this issue. Are you testing over HTTPS? – rowan_m Nov 04 '19 at 12:54
  • Thanks for the reply @rowan_m . Unfortunately I'll provide the code segment you request and Github repository of a simple application demonstarting this issue. And yes, I am using HTTPS. – Bhanuka Yapa Nov 05 '19 at 15:00
  • @rowan_m I have updated my question with the requested information. Can you please have a look? – Bhanuka Yapa Nov 05 '19 at 15:40

1 Answers1

0

If setting SameSite=None this must be paired with Secure. e.g.

res.setHeader('Set-Cookie','cdn-token=exp3header_same-site-none; domain=.local.com; path=/; SameSite=None; Secure');
rowan_m
  • 2,893
  • 15
  • 18
  • Still it's possible right? As per this links => https://www.chromestatus.com/feature/5633521622188032 it says that restriction will be only there after Chrome version 80. Anyway I in my real code I have added Secure flag also. Still not working. Any more suggestions @rowan_m ?Anyway thanks for the reply. – Bhanuka Yapa Nov 06 '19 at 06:13