Set Cookie in XHR response : How different browsers handle this?

Question

If I send a XHR request to example.com and response has Set-Cookie: dummyCookie=dummy in response. How different browsers handle this?

Does any version of any browser set the cookie for example.com, so that it will travel in subsequent requests(requests in compliance to SOP) to example.com

score 8 · Answer 1 · answered Jun 26 '12 at 10:25

I'm not sure if browsershots will handle this - since it seems to be mainly focused on looks, rather than behaviour.

An XHR response, if it issues a "Set-Cookie" header, it will be included in further requests. From http://www.w3.org/TR/XMLHttpRequest:

 If the user agent supports HTTP State Management it should persist, discard
 and send cookies (as received in the Set-Cookie response header, and sent in
 the Cookie header) as applicable.

I just tested in FF13, and XHR requests set cookie values.

Having said that, ensure that you have the XMLHttpRequest.withCredentials property enabled to include credentials (and thus also cookie values) in subsequent requests. — ndrix, Jun 02 '17 at 20:58

score 2 · Answer 2 · answered Jun 27 '12 at 07:28

2

The behaviour of XHR request depends on browsers' implementation. The answer for your question (about Set-Cookie and all stuff related to XHR SOP) are here: http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_XMLHttpRequest

answered Jun 27 '12 at 07:28

p____h

1,527
7
11

D.W. · Answer 3 · 2012-05-01T18:57:10.037

1

Yes, I believe the browser will accept the cookie from the server, if you're allowed to send the request. I believe this should be true on all modern browsers.

But you can always test it yourself, if in doubt. Browsershots is a great tool for this sort of thing, and it is free.

edited May 01 '12 at 18:57

answered May 01 '12 at 18:50

D.W.

98,420
30
267
572

Set Cookie in XHR response : How different browsers handle this?

3 Answers3