Server response has to have these headers:
Access-Control-Allow-Origin: https://origin.com
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, X-Auth-Token, Origin
Access-Control-Allow-Credentials: true
where https://origin.com
is the querying host.
In case of sending login credentials: Origin must not be *
;
the browser would reject the server's answer.
Additionally catch OPTIONS
-requests and respond with 200 OK
and the headers if the requesting host is on the whitelist.
4XX else.
Make sure that 4XX-responses send those headers, too.
$.ajax({
...,
crossDomain: true,
xhrFields: {
withCredentials: true
}
})
Enable third party cookies in your browser.
Cookies for localhost
are not persistent.