Chapter 5. Cookies and response headers
This chapter covers
- Including cookies with requests
- Understanding how client and server settings interact to control cookie behavior
- Exposing response headers to clients
Chapter 4 introduced the concept of preflight requests. Preflight requests enable the browser to ask for the server’s permission before making requests with certain HTTP methods and headers. This permissions model puts the server in charge of how cross-origin requests behave.
Luckily CORS has ways to support these features. As with all the other CORS features you’ve learned about, the server is in charge of enabling them, and it does so by using HTTP headers. This chapter will introduce two new response headers: Access-Control-Allow-Credentials, which indicates that cookies may be included with requests, and Access-Control-Expose-Headers, which indicates which response headers are visible to the client.