I have a question regarding a cross origin httponly cookie, I have created a very simple express example
const express = require("express");
const cookieParser = require("cookie-parser");
const app = express();
const port = 5000;
app.use(cookieParser());
app.use((req, res, next) => {
res.set("Access-Control-Allow-Origin", "{frontend-url}");
res.set("Access-Control-Allow-Credentials", true);
res.set("Access-Control-Allow-Methods", "GET, POST");
res.set("Access-Control-Allow-Headers", "Content-Type, *");
return next();
});
app.get("/", (req, res) => {
res.cookie("auth", true, {
httpOnly: true,
sameSite: false,
secure: true,
});
res.redirect("{frontend-url}");
});
app.get("/epc", (req, res) => {
console.log(req.cookies["auth"]);
return res.json({ auth: req.cookies["auth"] });
});
app.listen(port, () => {
console.log(`Example app listening at: ${port}`);
});
I am using ngrok for testing it and also have my frontend with a static site builder created, I make a fetch request like the one below:
fetch("{cookie-creator-server-url}/epc", {
credentials: "include",
});
I also first go to the {cookie-creator-server-url}/ which should add the cookie and redirect to the {frontend-url} and in the {frontend-url} the fetch request should also pass the cookie to the {cookie-creator-server-url} however sometimes the cookie is not saved, sometimes the cookie will not be sent or sometimes (on firefox) the cookie gets sent but I can not see it in my browser cookies
in case that anyone already has done a cross origin httponly cookie with express please help me identify where I am doing somthing wrong
thank you
Update 1:
I changed the sameSite variable to "none" and now it is working on Chrome and Firefox, however on the incognito mode and Iridium I am getting the error "this cookie was blocked due to user preferences"
which based on How to fix "This Set-Cookie was blocked due to user preferences" in Chrome? (Stackoverflow SSO Login / Ajax CORS request) is gonna be a default behaviour in future for Chrome, can someone please provide more information on this topic? is there any work around for it?
