0

enter image description here

access-control-allow-origin: http://localhost:3000
content-length: 299
content-type: application/json; charset=utf-8
date: Mon, 01 May 2023 11:35:51 GMT
etag: W/"12b-8efK5dxnadj10qqm+FsB8wLDLFE"
set-cookie: refreshToken=eyJhbGci0iJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOiI1YTk3NzgxZC05ZWQ4LTQxZTItOThhNi03ZmMzNTg0MTNjNTUiLCJpYXQiOjE20 DI5NDA5NTESIMV4CCI6MTY4NDE1MDU1MX0.avIPao2AXowDOKHYG0Ft2WiSg@cASgxZ
ePqaP5xF0sw; Domain=localhost; Path=/; HttpOnly; SameSite=Lax
vary: Origin
x-powered-by: Express

Set-Cookie was blocked because its Domain attribute was invalid with regards to the current host url

server url : https://abcd.site

front url : http://localhost:3000

  • SameSite=None & secure option need "https". But our front is not yet deployed.

  • I tried Next.js config setting

/** @type {import('next').NextConfig} */
const nextConfig = {
  reactStrictMode: true,
  compiler: { emotion: true },
  async rewrites() {
    return [
      {
        source: "/:path*",
        destination: "https://need-romance.site/:path*",
      },
    ];
  },
};

module.exports = nextConfig;

export const login = async (email: string, password: string) => {
  try {
    const response = await axios({
      method: "post",
      url: URL + "/auth/login",
      data: {
        email,
        password,
      },
      withCredentials: true,
      headers: {
        "Cache-Control": "no-cache",
      },
    });

    return response.data;
  } catch (error) {
    console.log(error);
  }
};

Access to XMLHttpRequest at 'https://need-romance.site/auth/login' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'localhost:3000' that is not equal to the supplied origin.

This attempt to set a cookie via a Set-Cookie header was blocked because it had the "SameSite=Lax" attribute but came from a cross-site response which was not the response to a top-level navigation.

There were errors like this, too.

I asked them to search on the Internet, but the error only changed and it was not solved.

I tried removing the credential option, but the error in the yellow triangle disappeared, but the cookie didn't set in.

It was definitely when it was http before.

help me...

Hanimoon
  • 11
  • 2
  • Why do you need to set a cookie to front-end URL? Shouldn't the cookies be sent with requests to the back-end server? – Ivar May 01 '23 at 11:59
  • @Ivar I'm sorry, I didn't understand what you meant. Can you explain it with an example? Where should I change it? – Hanimoon May 01 '23 at 12:53
  • @Hanimoon Do you even have a good reason to use the `Domain` attribute when setting your cookie? Do you understand the effects/implications of doing so? If not, read [this](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#domain_attribute). Anyway, in your specific case, the only legal value of the `Domain` attribute is `need-romance.site`; attempts to set your cookie with a `Domain` attribute whose value is anything other than `need-romance.site` will be rejected by browsers. – jub0bs May 01 '23 at 13:03
  • @jub0bs Thank you. Is it wrong that the domain was localhost:3000? But I tried not use the domain attribute at all, but I can't see the response header because it says "provisional headers are shown." – Hanimoon May 02 '23 at 03:25
  • @Ivar fixed it. Thank you. what means "Why do you need to set a cookie to front-end URL? Shouldn't the cookies be sent with requests to the back-end server? "? – Hanimoon May 02 '23 at 03:29
  • @Hanimoon I assume that you have a front-end and a back-end, and that only the backend needs to be aware of the cookies. In that case it doesn't make sense to add cookies to the front-ends domain in the first place. As mentioned, you probably don't need to set the domain at all. "provisional headers are shown" most likely means that the request/response was never made. [This post](https://stackoverflow.com/questions/21177387/caution-provisional-headers-are-shown-in-chrome-debugger) says it might be blocked by extensions, it might be cached or it could be blocked due to CORS. – Ivar May 02 '23 at 10:37

0 Answers0