Why isn't there the cookie sent for cross domain request?
I have the following setup:
- www.localhost.lan -> 127.0.0.1
- app.localhost.lan -> 127.0.0.1
There is a haproxy running on port 443 using mkcert certificates. In the proxy the www request are sent to the static site engine the app requests are sent to the Rust backend.
use_backend www if { hdr(host) -i www.localhost.lan }
use_backend app if { hdr(host) -i app.localhost.lan }
The full config is here: https://gist.github.com/l1x/ab941cedecd85ba9a8b44046367e1d1a
When a user logs in we issue a cookie:
let cookie = Cookie::build(("vs-jwt", &s))
.domain(".localhost.lan")
.secure(true)
.same_site(SameSite::None)
.http_only(true)
.path("/")
.max_age(Duration::WEEK)
.build();
When I am navigating to www.localhost.lan/app the following happens:
- GET www.localhost.lan/app -> cookie is sent
- GET app.localhost.lan/view/app -> cookie is not sent
Cookie sent:
Cookie not sent:
What am I missing?
I was trying to fiddle with the cookie settings but I think it should work. Does it matter if the request was initiated by JS (HTMX in this case)?
The code that is actually triggering the GET request:
<section class="bg-white dark:bg-gray-900">
<div id="app">
</div>
<div hx-get="https://app.localhost.lan/view/app" hx-trigger="load" hx-target="#app">
<img alt="Result loading..." class="htmx-indicator" width="150" src="/img/bars.svg" />
</div>
</section>
I have narrowed it down to HTMX. The standard request works:
const xhr = new XMLHttpRequest();
xhr.open("GET", "https://app.localhost.lan/view/app", true);
xhr.withCredentials = true;
xhr.send(null);
This sends the cookie.
As it turns out by default the AJAX requests do not send cookies.
The default JS libs have the following:
xhr.withCredentials = true;
In HTMX this has to be configured as well:
<div
hx-get="https://app.localhost.lan/view/app"
hx-request='{"credentials": true}'
hx-trigger="load"
hx-target="#app">
<img alt="Result loading..."
class="htmx-indicator"
width="150" src="/img/bars.svg" />
</div>
- How memory address for pointer to arrays is same as an element in 2D array?
- How to use ellipsis in c's case statement?
- Fast & accurate atan/arctan approximation algorithm
- How can I exclude non-numeric keys? CS50 Caesar Pset2
- Fast ceiling of an integer division in C / C++
- Is there an invalid pthread_t id?
- How does SIMD (avx) processing work? for example, if I want 10 32 bit floats how do i fit in a 256 bit avx vector?
- FDCAN problems on STM32G4
- How does the call macro enable mutual recursion between functions f and g in this Hanoi Tower implementation?
- Running test on Rocket core CPU - global variable initialized to 0 is unsuccessful, output wrong value instead
- Interacting with C arrays without knowing the size
- Combination of two strings
- Avoiding strcpy overflow destination warning
- carriage return by fgets
- How to use special characters in C?
- Why does 1.0/100.0 == 0.1/10.0 give True?
- Is it correct to compare pointers in C?
- Force free() to return malloc memory back to OS
- How can I print to standard error in C with 'printf'?
- What is the standard behavior of fread in C on Windows?
- How is strtok removing lines it shouldn't have access to?
- Using array as smart point in C
- Assigning string to malloced 2d char array not working as intended
- How to refactor repetition inside a Makefile?
- Why does an empty preprocessor command still evaluate to something?
- How to implement variable sized array within C struct
- Character array typecasting to integer
- Handling HTTP Headers in a Minimal C HTTP Server
- How to get the sign, mantissa and exponent of a floating point number
- Why do MCU libraries use logic operations instead of bitfield structs?