2

I have a setup where a client application is running on a different domain (http://www.example.com) than the server application (http://www.example2.com). I've got the cross domain AJAX requests working except that I cannot figure out a way to send cookies with the request without having to add the Access-Control-Allow-Origin response header for each possible domain. Is there a way to set this up without having to specify a list of domains in that header? I'm aware of the security implications so I guess what I'm really asking is ... is there another framework separate from CORS that I can use which will allow this type of setup and at the same time allow any domain for the client application? I tried JSONP but that did not work out (could not send the cookie with the JSONP request). Is there something else I should try other than CORS and JSONP? Thanks.

EDIT: This is not a duplicate of the question mentioned in the duplicate notification. I'm already aware of the withCredentials flag. The problem is that I don't want to have to specify a list of domains in the CORS response header. I want something equivalent to setting that value to '*', but setting it to '*' is not allowed if sending a cross domain AJAX request that contains cookies.

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Andrew
  • 1,581
  • 3
  • 18
  • 31
  • The equivalent of `Access-Control-Allow-Origin: *` for requests with credentials is to configure the backend for the server the request is being sent to such that it takes the value of the `Origin` request header and basically just echoes it to the value of the `Access-Control-Allow-Origin` response header. How exactly to do that depends on what web server and programming environment you’re running on the server backend. So if you add details here about what backend you’re running, then others here can help you figure out how to echo the Origin like that. (P.S. Have voted to reopen this.) – sideshowbarker Apr 16 '17 at 22:45

0 Answers0