![\"\"](\"https:\/\/promincproductions.com\/blog\/wp-content\/uploads\/2017\/04\/AJAX-CORS-with-Cookies.jpg\")
<\/a>CORS vs JSONP<\/h2>\n\n\n\n
I’m not going to go into full details here – just hit on the tip top level. A plethora of information is available on the internet for these topics.<\/p>\n\n\n\n
CORS<\/a> (Cross-origin resource sharing) is a mechanism implemented by browsers to ensure that malicious requests to a server can’t be made – it’s a restriction method. It respects the Same-origin<\/a> policy for security reasons.<\/p>\n\n\n\n First off, JSONP<\/a> technically is a way to solve this problem, however I don’t advise it as the correct solution. \u00a0It is an old and outdated technology and has security flaws. \u00a0The basics of it is that a request to the server (with cookies) is made by the browser for a Javascript function. \u00a0A function is returned and the browser can then use it to process the response as needed.<\/p>\n\n\n\n There are two things that need to be done here:<\/p>\n\n\n\n You need to tell your AJAX request to pass credentials with this bit of code:<\/p>\n\n\n\n Reference: MDN XMLHttpRequest.withCredentials<\/a><\/p>\n\n\n\n This parameter indicates if a cross-domain request should send credentials (which include cookies, TLS certificates, authorization headers, etc.).<\/p>\n<\/blockquote>\n\n\n\n Here is a full example of what the basic AJAX request should look like.<\/p>\n\n\n\n The browser is now passing cookies (credentials) to the server. <\/p>\n\n\n\n The server now needs to respect the CORS request and respond with the correct headers. There are two headers that need to be set for this to work roundtrip.<\/p>\n\n\n\n This needs to be set to the domain from which the browser made the request. \u00a0So if the URL in the browser is:<\/p>\n\n\n\n and makes the AJAX request to:<\/p>\n\n\n\n then this header needs to be set as so:<\/p>\n\n\n\n What this header says is that this is the only domain that is allowed to make this cross-origin request – essentially the two domains are the same domain. A request from any other domain will fail the Same-origin policy of CORS and the request will fail.<\/p>\n\n\n\nHow to Pass Cookies on a Cross-Domain AJAX Request from Browser to Server<\/h2>\n\n\n\n
\n
Configuring the AJAX Request<\/h3>\n\n\n\n
xhrFields: { withCredentials: true },<\/code><\/pre>\n\n\n\nAJAX Parameter: <\/strong>withCredentials<\/h4>\n\n\n\n
\n
AJAX Request<\/h4>\n\n\n\n
jQuery.ajax({\n\turl: \"http:\/\/subdomain.yourserver.com\/getinformation\/\",\n\tdataType: 'json',\n\txhrFields: { withCredentials: true },\n\tsuccess: function(data) {\n\t\tconsole.log(data);\n\t}\n});<\/code><\/pre>\n\n\n\nServer Headers<\/h3>\n\n\n\n
Header: Access-Control-Allow-Origin<\/h4>\n\n\n\n
http://www.yourserver.com<\/code><\/pre>\n\n\n\nhttp://subdomain.yourserver.com\/getinformation\/<\/code><\/pre>\n\n\n\nAccess-Control-Allow-Origin:http:\/\/www.yourserver.com<\/code><\/pre>\n\n\n\n