Sore point: accepting cookies for cross-domain requests?

P

Pavel Karinin2017-10-19 16:15:00

HTTP Cookies

Pavel Karinin, 2017-10-19 16:15:00

Having shoveled through a lot of specifications and "recommendations", I can not come to the final understanding for performing a simple task:
There is a first.com domain, the client script of which sends a POST request (XMLHttpRequest) to the second.com domain:

var xhr = new XMLHttpRequest();
xhr.open('POST', 'https://second.com/some_path', true);
xhr.onloadend = function() { ... };
xhr.send(request_body);

in response to this request, the second.com server should send cookies, which will only be needed by the second.com domain in the future. In this case, the second.com server sends the following headers:

Access-Control-Allow-Origin: https://first.com
Access-Control-Allow-Methods: POST, OPTIONS, HEAD

I note (in my case) there is no need to pass the values of these sent cookies to the first.com script or anywhere else, they just need to be set for second.com, besides (in my case) cookies with the HttpOnly flag are sent.
The question is this:

Will the second.com domain accept/set these cookies sent in response, i.e. will they be preserved on subsequent requests to second.com?
Maybe additional headers are needed when sending a request to second.com and / or additional headers in the response from the server?

I ask this question not only for myself, but as I understand it for many others, there are similar questions on the Toaster, but there are no clear answers or I did not find them (which is most likely).

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

P

Pavel Karinin, 2018-05-02
@pavelkarinin

Literally before publishing the project, I answer myself (and maybe others, including dimonchik2013 ) to my own question. When I asked this question, I physically did not have the opportunity to check my assumptions, because at that time various nuances were only thought out. The complexity of the issue was for the most part that browsers behave differently with third-party cookies + user preferences. To this day, there is no single recipe for 100% cookie setting for cross-domain requests, although there are some progress (but this is a separate issue).
The issue was resolved by combining the existing practices for solving this problem, namely this: on the first.com page we place an empty and invisibleiframe, we load a page from the second.com domain into it, which executes the script, creating a form, with a method POSTand an action address, to which the server will set cookies in response (of course, for second.com , as in my case it was necessary). After that, iframethe means postMessagecan "inform" the parent window that everything went smoothly or something happened in turn the parent window to delete this iframe. All browsers with cookies enabled but with different settings for accepting third-party cookies handled this scenario just fine.
I also want to note: I often see (and even on Habré there is such an example) that instead of a form for such cases, they use another nestediframewith the address at which the server will set the cookie - you should not do this, since this method does not work in all browsers, you need a POSTrequest and it is for the form (especially for Safari).
In my case, there should be 4 different second.coms , so the above script is run in a loop for each required domain. As a result, the whole process runs in parallel for these enumerated domains. The delays associated with the time of loading content in iframe, submitting forms and receiving a response in my scenario do not matter, but given the size of the code for creating and sending it, the weight there is minimal, the rest depends on the network and the speed of the return on the server. In my case it doesn't matter much.

D

Dimonchik, 2017-10-19
@dimonchik2013

what prevents to check pens?