Firefox does not keep cookies sent by cross-domain even with all CORS allow

I experience a problem with Firefox while Chrome works fine. Here is the situation:

• Website1.com returns an html page in SSL.
• This page makes a request to Website2.com in SSL either via img tag or XMLHttpRequest (same issue).
• Website2.com returns a cookie to be set for itself
• Firefox ignores this cookie. It is never stored even though it shows in the console.
• The console doesn't complain about anything.

Client sends:

Origin: https://website1.com 

Server returns:

Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: * Access-Control-Allow-Methods: * Access-Control-Allow-Origin: https://website1.com Access-Control-Expose-Headers: * Set-Cookie: ... 

What else am I missing about CORS?

Thanks!

1 Answers

Answers 1

Access-Control-Allow-Credentials: true 

Is a special flag. If one side declares it other also have to declare it or else it's security failure and browser will not accept data.

So add the same header to client request. (Or if you control server, consider doing without cookies and passing data with other mechanism)

If You Enjoyed This, Take 5 Seconds To Share It

• Facebook
• Twitter
• Google+
• StumbleUpon
• Digg
• Delicious
• LinkedIn
• Reddit
• Technorati