CORS, withCredentials and third party cookies

6
votes

I'm trying to do a CORS GET that sends the cookie along with it. I've set all the headers (access-control-allow-origin, access-control-allow-credentials, access-control-allow-headers) in the server and am using withCredentials: true and crossDomain: true in the jquery ajax request. Everything works when I tell my browser to allow third-party cookies. Is there any way to do this without forcing visitors to allow third party cookies? I've even tried redirecting the user and redirecting back, but CORS will refuse to send the cookie along. :/

I've tried doing the CORS request via ajax, as well as via an iframe.

1
cookiescross-domaincorssame-origin-policy
what do you mean "allow third-party cookies"? CORS still enforces the cookie's same-origin policy, so it can only send cookies from the server's origin. You can send a cooke from one origin to a different origin.monsur
I have a page from domain A.com, and i'm trying to do a GET/POST from B.com on A.com's page. Both these domains are trusted. Does that make sense?Charlotte Tan
A.com can only read/write cookies from A.com. B.com can only read/write cookies from B.com. withCredentials doesn't let Javascript on A.com read cookies from B.com, it only indicates that requests from A.com to B.com should include B.com's cookies. So even with CORS, the cookie's same-origin policy is still enforced.monsur
that's the thing, requests going to B.com does not include B.com's cookies if I disallow third party cookiesCharlotte Tan
In that case it would be useful to see the code you are using to make the request, and a capture of the request and response headers (from the browser's debugger).monsur

1 Answers

7
votes

I don't think it is possible. See my (old but relevant) blog post on this. The only bullet-proof way is to use 1st-party cookies (that is, open window in a top-level window like a separate tab, or redirect current window).

In some cases it is not necessary though. Browsers have slightly different notions of what third-party cookie is, and default behavior is also different. This post has a nice overview on these details. So in some cases you could do tricks to enable (or at least detect) use of cookies on the page.

Other workarounds include putting one server under a subdomain of the other (subdomains are usually not considered 3rd-party), or changing the flow so that the user is authenticated by other means than cookies.