Add ability to send cookies cross domain

[aberasarte]

As far as I understand, there is no way to send cross domain cookies with the current grpc-web client implementation. Looking at the code, I see that grpc-web is using xhrio to send the requests to the server but I don't see any settable property nor option in the grpc client that would enable the xhrio "withCredentials" flag.

Would it be possible to add this feature? It would be really helpful for our current scenario.

[stanley-cheung]

This feature is in the internal version of the library. We will be glad to add it here. How do you envision using this? Should this be a call-level option? Or should it be service/stub level?

[wenbozhu]

Service/stub level. It's a no-op if calls are from the same origin.

[aberasarte]

Thanks for the fast reply! Sevice/stub level works for me.

[AaronTriplett]

Any updates on this? We're currently blocked from going to production due to this issue.

[stanley-cheung]

Added an option in #604 to allow clients to enable withCredentials to true.

var client = new EchoServiceClient('localhost', null, {
  'withCredentials': true
});

But before I cut the next release including this fix, is it possible that someone can verify if this works for your use case? Coz I received a report that even with #604, cookie is not being attached to a cross-domain request. So I was wondering if we are still missing something.

[hellraisercenobit]

I'm trying to do this with envoy but nothing seems to work like expected.
Someone have an envoy config sample to do this?
Cors allow_credentials is set server side.
withCredentials is set client side.
But Access-Control-Allow-Origin is always equal to '*' in the response headers.
So the request/response has been blocked by CORS policy.

[bram-abe]

Added an option in #604 to allow clients to enable withCredentials to true.

var client = new EchoServiceClient('localhost', null, {
  'withCredentials': true
});

But before I cut the next release including this fix, is it possible that someone can verify if this works for your use case? Coz I received a report that even with #604, cookie is not being attached to a cross-domain request. So I was wondering if we are still missing something.

Aha this solve my initial problem where the case is browser could read & receive Set-Cookie response header but can not store it. thx @stanley-cheung

[vdhanan]

@stanley-cheung i've enabled withCredentials and the cookie is still not being attached to a cross-domain request. would you mind helping me resolve this?

    const unauthClientOpts = {
      unaryInterceptors: [versionInterceptor],
      withCredentials: true,
    };

    return new IdentityUnauthClient.IdentityClientServicePromiseClient(
      identitySocketAddr,
      null,
      unauthClientOpts,
    );