Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/lbwa/spec-cookies
How http cookies works.
https://github.com/lbwa/spec-cookies
cookie http-state-management set-cookie
Last synced: about 1 month ago
JSON representation
How http cookies works.
- Host: GitHub
- URL: https://github.com/lbwa/spec-cookies
- Owner: lbwa
- Created: 2019-11-28T09:49:37.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2019-11-29T05:25:46.000Z (about 5 years ago)
- Last Synced: 2024-11-05T22:11:58.609Z (3 months ago)
- Topics: cookie, http-state-management, set-cookie
- Language: TypeScript
- Homepage:
- Size: 36.1 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
Spec Cookies
This project describes how http same-site/cross-site cookies works.
## Fundamental
[RFC6265 - HTTP State Management Mechanism](https://tools.ietf.org/html/rfc6265)
### third-party cookies(cross-site cookies)
#### Specification
Note that the [HSMM](https://tools.ietf.org/html/rfc6265#section-7.1) specification grants user agents wide latitude to experiment with third-party cookie policies that balance the privacy and compatibility needs of their users. However, **it does not endorse any particular third-party cookie policy**.
#### MDN
- [XMLHttpRequest.withCredentials](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials)
- [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Requests_with_credentials)
By default, in cross-site XMLHttpRequest or Fetch invocations, browsers will not send credentials (HTTP cookies and HTTP Authentication information). A specific flag has to be set on the XMLHttpRequest object or the Request constructor when it is invoked.
```ts
// with XMLHttpRequest(omit unrelated code)
const http = new XMLHttpRequest()
http.open('GET', 'https://api.github.com', true)
// set a flag used to send cross-site credentials.
// Otherwise, cross-site credentials wouldn't be sent.
// https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials
http.withCredentials = true
// with browser fetch API(omit unrelated code)
// https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/fetch
fetch(url, {
credentials: 'include'
})
```
Note that the response headers should include [Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials) with `true` value and [Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin) with a **specific** origin domain, instead of the `*` wildcard.
## Prerequisites
1. Should run the following command to create local ssl certification which is used to https server.
```bash
npm run setup
```
2. Modify your `/etc/host` file
```txt
127.0.0.1 domain.com
127.0.0.1 main.domain.com
127.0.0.1 sub.domain.com
```
## Installation
- Start https server
```bash
npm run start-https
```
- Browse web page
```bash
https://domain.com:5000
# or
https://main.domain.com:5000
# or
https://sub.domain.com:5000
```
## License
MIT © [Bowen Liu](https://github.com/lbwa)