Cross-domain cookies are not being set by Angular HttpClient

Question

I'm using a Rust (Actix) backend and Angular frontend, hosted on separate domains. I've configured CORS on the backend:

let cors = Cors::default()
  .allowed_origin(FRONTEND_URL)
  .allowed_origin("http://localhost:3000")
  .allowed_methods(vec!["GET", "POST"])
  .allowed_headers(vec![header::AUTHORIZATION, header::ACCEPT, header::CONTENT_TYPE, header::ACCESS_CONTROL_ALLOW_CREDENTIALS])
  .supports_credentials();

Cookies are configured to be secure, httponly, and SameSite=None:

Cookie::build("cookie_name", cookie_value)
  .path("/")
  .secure(true)
  .http_only(true)
  .same_site(SameSite::None)
  .finish()

On the frontend, I'm using the standard Angular HttpClient to make an API call, using withCredentials: true:

this.http.get<ResponseObject>(url, {
  params: { ... },
  withCredentials: true
})

Chrome dev tools shows the Set-Cookie header in the response, but the cookie is never actually set except when I run both the backend and frontend locally.

I've looked at this, this, this, this, this, and this, trying each of the proposed solutions, but with no success.

What am I missing? What needs to be changed to ensure the cookies are set?

@НикитаСереда yes, I tried `--disable-host-check`. I also tried `--cross-origin use-credentials` when building the project. Neither fixed the problem. — WKHAllen, May 27 '21 at 14:25

score 1 · Answer 1 · answered May 27 '21 at 15:44

It seems my own ignorance on CORS and cross-domain cookies was the source of the problem. The cookies were being set, but not where I expected. I had assumed the cookies would be set on both the domain hosting the backend and the one hosting the frontend, but they are only set on the backend.

The links to other SO pages in my above question are useful, and should be used in the event that other people run into similar issues.

Cross-domain cookies are not being set by Angular HttpClient

1 Answers1