All geek questions in one place

Safari doesn't set CORS cookies using the JS Fetch API

I cannot get Safari to successfully apply Set-Cookieserver responses when using the Fetch API (in fact, through fetch polyfill ). The same code works correctly in FF and Chrome (I tested using both native and polyfill fetch).

  • The request is made through domains;
  • yes, I install credentials: true;
  • the server responds with a header Set-Cookie;
  • subsequent requests are sent from Chrome and FF with cookie request headers, but Safari does not;
  • the request uses HTTPS (the certificate is self-signed and in the development domain, but it seems to be accepted by Safari for regular requests); and

Does anyone know what could be the problem?

I read the documentation and looked at many closed bug reports . If I missed something, I think the problem is with the "default browser behavior" regarding cookies and CORS, and not using fetch (reading through the polyfill source code, it seems that 100% does not know cookies). Several error reports indicate that an incorrect server response may prevent the storage of cookies.

My code is as follows:

function buildFetch(url, init={}) {
    let headers = Object.assign({}, init.headers || {}, {'Content-Type': 'application/json'});
    let params = Object.assign({}, init, { credentials: 'include', headers });

    return fetch(`${baseUrl}${url}`, params);
}

buildFetch('/remote/connect', {method: 'PUT', body: JSON.stringify({ code })})
.then(response => response.json())
.then(/* complete authentication */)

This authorization request is below. I use cURL to get accurate request / response data, as Safari makes copying and pasting difficult.

curl 'https://mydevserver:8443/api/v1/remote/connect' \
-v \
-XPUT \
-H 'Content-Type: application/json' \
-H 'Referer: http://localhost:3002/' \
-H 'Origin: http://localhost:3002' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8' \
--data-binary '{"token":"value"}'


*   Trying 127.0.0.1...
* Connected to mydevserver (127.0.0.1) port 8443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* Server certificate: mydevserver
> PUT /api/v1/remote/connect HTTP/1.1
> Host: mydevserver:8443
> Accept: */*
> Content-Type: application/json
> Referer: http://localhost:3002/
> Origin: http://localhost:3002
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8
> Content-Length: 15
> 
* upload completely sent off: 15 out of 15 bytes
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: http://localhost:3002
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Api-Key, Device-Key
< Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
< Access-Control-Expose-Headers: Date
< Content-Type: application/json; charset=utf-8
< Content-Length: 37
< Set-Cookie: express:sess=[SESSIONKEY]=; path=/; expires=Fri, 17 Feb 2017 15:30:01 GMT; secure; httponly
< Set-Cookie: express:sess.sig=[SIGNATURE]; path=/; expires=Fri, 17 Feb 2017 15:30:01 GMT; secure; httponly
< Date: Fri, 17 Feb 2017 14:30:01 GMT
< Connection: keep-alive
< 
* Connection #0 to host mydevserver left intact
{"some":"normal","response":"payload"}
+4
source share
1

.

, " " Safari, . XHR (, , , ) cookie. , , .

, , - iframe HTML API cookie. cookie. , , Safari - .

, , , -. :

  • X-Auth: [token], [token] - , JWT, ( - , - - , );
  • X-Auth Access-Control-Allow-Headers;
  • cookie ( Safari, -Safari cookie, auth);
  • X-Token X-Token , ( - , , );
  • , , cookie , ;
  • ( cookie , Safari ), , , , ;
  • .

, JWT ( - ) - (, , -). , , . , , , JWT , , , .

+6

Source: https://habr.com/ru/post/1670095/

More articles:


All Articles