How to make the browser be able to set cookie from sub-domain?

  cookies, http, laravel

Update: Am I reading the MDN docs right? The Set-Cookie is forbbiden as response header? Then how am I supposed to make Laravel Sanctum set the XSRF token cookie?

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie :

Warning: Browsers block frontend JavaScript code from accessing the
Set Cookie header, as required by the Fetch spec, which defines
Set-Cookie as a forbidden response-header name that must be filtered
out from any response exposed to frontend code.

I have a frontend served on localhost, and it calls an API that tries to set a CSRF cookie via Set-Cookie header

*Edit: Do I need the exact path? Because I am trying to set the cookie on localhost/register, not localhost

I get the following error:

This Set-Cookie was blocked because its Domain attribute is invalid
with regards to the current host URL

This is how the attempt to set the cookie looks like:

Request URL: http://api.localhost/sanctum/csrf-cookie

Set-Cookie: XSRF-TOKEN=long-encrypyed-value; expires=Thu, 09-Sep-2021 11:18:25 GMT; Max-Age=7200; path=/; domain=localhost; samesite=lax

I believe the error is because the request URL is api.localhost and my website is localhost (domain=localhost in the cookie attribute)

But how can I make it work? Should I add a name header from the frontend side or from the backend side?

Also, should I change mode to strict or leave it as lax?

Source: Laravel

Leave a Reply