Can Javascript access cookies created from another domain?
Please read the whole question, as I'm sure it covers the basic suggestions.
My project configuration is set as follows:
Domains:
front-end: "https://front.domainA.com" // AWS Amplify, React
back-end: "https://back.domainB.com" // AWS Amplify, Express.js
CORS (on server.js):
origin: "https://front.domainA.com",
credentials: true,
optionsSuccessStatus: 200,
CORS (Amplify API console, hits this before server.js CORS):
"method.response.header.Access-Control-Allow-Methods": "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'",
"method.response.header.Access-Control-Allow-Headers": "'X-Requested-With,X-HTTP-Method-Override,Accept,Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,csrf-token,x-csrf-token,xsrf-token,x-xsrf-token'",
"method.response.header.Access-Control-Allow-Origin": "'https://front.domainA.com'",
"method.response.header.Access-Control-Expose-Headers": "'Set-Cookie'",
"method.response.header.Access-Control-Allow-Credentials": "'true'"
Axios
const instance = axios.create({
baseURL: "https://back.domainB.com";
});
instance.interceptors.request.use((req) => {
req.withCredentials = true;
return req;
});
export default instance;
Note that I've tested sharing cookies across localhost ports (front-end: 3000, back-end :5000) with no problems.
Further details:
When calling my cookie GET endpoint, the cookie is being sent back to the front-end in a 'Set-Cookie' response header. But from there I can NOT get Javascript to read the cookie, where then I want to manipulate it on the front-end.
Before you recommend setting the cookie attributes, I've covered every angle of that. I've set the cookie's domain, sameSite, httpOnly, secure, and path attributes in every configuration possible, with no results. That said, it seems the correct settings for the example are:
httpOnly=false
path="/"
sameSite="none"
secure=true
If I include the domain setting below, I get an error saying, "Set-Cookie was blocked because its Domain attribute was invalid with regards to the current host url". So I leave that out. All other settings are the defaults.
domain='https://front.domainA.com'
All that said, the cookies are in fact being acknowledged by Chrome. If I click the lock (or i), icon to the left of the address bar lock (or i), icon to the left of the browser bar, they show up there. They also show up in the http response headers. But they do NOT show up in cookie storage and will NOT be read by Javascript.
My thought's are that the only solution to this is to have both the back and front-ends on the same top level domain. Perhaps with the backend at an api.xxxx subdomain.
Am I right in my assumption? Or are there any other solutions to this problem that I'm missing? Perhaps I'm missing an AWS Amplify setting to allow this as well?
Thank you ahead of time for any responses.