0

Through the header "Access-Control-Allow-Credentials" one can define that the response will be exposed and accessible to JavaScript.

From the Docs:

Credentials are cookies, authorization headers, or TLS client certificates.

When using Cors - Cookies I need to set this header to true (https://stackoverflow.com/a/46412839/6458608).

Through a "http-only" cookie I can define that a cookie should not be exposed in the JS - context.

This two configs are challenging each other, at least in my understanding.

Questions:

  • Is there some priority like "a http-only is never exposed to the JS - context even when the allow-credentials header is set"?
  • Do I need to consider something while using cors - cookies? Or can I tell for sure that I can never access a http-only - cookie in JavaScript?
Matthias Gwiozda
  • 505
  • 5
  • 14

1 Answers1

1

These two settings are related, but don't challenge each other. In the case of http-only you are saying whether or not you'd ever have access to the value of the cookie in javascript.

On the other hand, the header Access-Control-Allow-Credentials is set by the server, to tell the browser whether javascript has the ability to tell the browser to send cookies on a CORS request (using the withCredentials flag on xhr). So, javascript would still not have access to the actual cookie values, it just now has a way to modify the browser behavior on when to send cookie values.

More information -

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials

David
  • 1,007
  • 7
  • 14
  • This fits with the behaviour of the browser and some tests I have done to understand the concepts. In this case I find that the mozilla - documentation is a little bit misleading. – Matthias Gwiozda Dec 14 '21 at 14:35