18

I think I misunderstood the management of cookies with xmlhttprequest. I have a server that responds to the XMLHttpRequest made in javascript. My server returns Allow-Control-Access-Origin, Access-Control-Allow-Headers, Access-Control-Expose-Headers and Access-Control-Allow-Credentials headers with the correct value.

I'm doing a Digest Authenticate in a server with javascript, no problem in that. I correctly receive the WWW-Authenticate header from server. I process and send to the server the Authorization header with all the digest-response and everything is ok.

The problem is, when the digest-challenge is successful, my server returns a Set-Cookie Header. I have to get it and add to the rest of all of my xhr request.

The browser (using Chromium and Chrome) won't let me access to the header doing:

xhr.getResponseHeader("Set-Cookie");

Ok, in the XMLHTTPREQUEST Level 2 it says: "Returns all headers from the response, with the exception of those whose field name is Set-Cookie or Set-Cookie2"

Ok, so I can't access it, but what are the alternatives? Using the Chrome API for cookies (at the moment I haven't read anything about it), but I want to use the most standard method as possible.

Does:

xhr.withCredentials = true;

mean the browser automatically gets the set-cookie and sends cookie headers??

Skull Kid
  • 117
  • 7
Kalamarico
  • 5,466
  • 22
  • 53
  • 70

1 Answers1

16

From CORS spec http://www.w3.org/TR/cors/#make-a-request-steps:

Whenever the make a request steps are applied, fetch the request URL from origin source origin with the manual redirect flag set, and the block cookies flag set if the omit credentials flag is set. Use method request method, entity body request entity body, including the author request headers, and include user credentials if the omit credentials flag is unset. Exclude the Referer header if source origin is a globally unique identifier.

As you correctly says - cookies are added by browser if you use withCredentials.

ciis0
  • 311
  • 1
  • 9
Artem Oboturov
  • 4,344
  • 2
  • 30
  • 48
  • can you confirm that in this case they are sending cookies, generated and set by site A (main page) to the site B (Ajax destination)? – Kirill Kobelev Oct 12 '12 at 04:56
  • No. Only those cookies that were originated from the domain B will be sent there. On the other hand, the `Referer` will be sent containing the originating URI of site A - and if you had some HTTP parameters - they will be visible to the B site. – Artem Oboturov Oct 13 '12 at 19:54
  • hrm, the link is broken. :( – ciis0 May 10 '23 at 13:26
  • there does not seems to be an direct equivalent in the new spec, but the archive link is https://web.archive.org/web/20120603082313/http://www.w3.org/TR/cors/#make-a-request-steps – ciis0 May 10 '23 at 13:30