This project describes how http same-site/cross-site cookies works.
RFC6265 - HTTP State Management Mechanism
Note that the HSMM specification grants user agents wide latitude to experiment with third-party cookie policies that balance the privacy and compatibility needs of their users. However, it does not endorse any particular third-party cookie policy.
By default, in cross-site XMLHttpRequest or Fetch invocations, browsers will not send credentials (HTTP cookies and HTTP Authentication information). A specific flag has to be set on the XMLHttpRequest object or the Request constructor when it is invoked.
// with XMLHttpRequest(omit unrelated code)
const http = new XMLHttpRequest()
http.open('GET', 'https://api.github.com', true)
// set a flag used to send cross-site credentials.
// Otherwise, cross-site credentials wouldn't be sent.
// https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials
http.withCredentials = true
// with browser fetch API(omit unrelated code)
// https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/fetch
fetch(url, {
credentials: 'include'
})Note that the response headers should include Access-Control-Allow-Credentials with true value and Access-Control-Allow-Origin with a specific origin domain, instead of the * wildcard.
-
Should run the following command to create local ssl certification which is used to https server.
npm run setup
-
Modify your
/etc/hostfile127.0.0.1 domain.com 127.0.0.1 main.domain.com 127.0.0.1 sub.domain.com
-
Start https server
npm run start-https
-
Browse web page
https://domain.com:5000 # or https://main.domain.com:5000 # or https://sub.domain.com:5000
MIT © Bowen Liu