6

When we write a HTML page with form tag and an action attribute and a submit button. As soon as we click on submit a request is sent (with cookies) to the URL which was the value of action attribute.

But if we send cross domain request to the same domain with JS's XHR cookies won't be sent.

In both cases, requests are sent to another domain but still cookies are sent with the first case only why so?

Nix
  • 61
  • 2
  • I'm actually having the problem where cookies are not sent along a cross domain form submit, while I was expecting they were. Something has changed on that matter since then ? – challet Mar 24 '21 at 17:27

2 Answers2

5

Cookies can be send with XHR if withCredentials is set to true. Contrary to cross-origin form submit or the cross-origin include of resources the application has actually control if cookies are sent or not. Since it is more secure to not include cookies in cross-site requests this is the default and the application has to explicitly enable it if needed.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
0

For the cross-domain form submit, the cookies sending are managed by the SameSite setting for each of them.

challet
  • 101