Twitter Call us on +44 (0)1256 486557

Safari CORS requests withCredentials

It turns out, Safari will block “third party” cookies from domains you haven’t visited. This is a default Security setting.

If you authenticate against an API/service which is not in the domain, and get a session cookie, it will never be used it because Safari will not save it.

Isn’t that awesome?

The solution is to access the API/service from a sub-domain, e.g. “api.somedomain.com”. This should cause Safari to hold onto the cookie so it can be re-used for the CORS requests.

http://attack.io/post/19053340672/why-does-safari-fails-cors-requests-withcredentials