Twitter Call us on +44 (0)1256 486557

Safari CORS requests withCredentials

It turns out, Safari will block “third party” cookies from domains you haven’t visited. This is a default Security setting.

If you authenticate against an API/service which is not in the domain, and get a session cookie, it will never be used it because Safari will not save it.

Isn’t that awesome?

The solution is to access the API/service from a sub-domain, e.g. “”. This should cause Safari to hold onto the cookie so it can be re-used for the CORS requests.