Sir your teaching is really great, I have seen lots of videos about this topic on yt but no one can teach you like this ,you are awesome Thank you so much from India

I was suffering with cookies and fetch until now. Thank you so much

Great job, Steve! Explained a complex topic very concisely and professionally! :)

You’re truly a life saver! I’ve been searching for a video like this everywhere on the internet!!!

You deserve 1 million likes, thanks a lot !

Super insightful, prof! I really appreciate what you have done for me in my career as an engineer! You have really my skills in a way I could only have dreamed of! Blessings!

This is excellent. A very difficult topic. Thanks for the hard work that went into this.

Such a clear explanation of everything! Loved it.

Any idea?? I am setting cookie with secure=true, sameSite=none, httponly=false, on frontend i am setting credentials=include as well, since frontend is on other domain and backend is on other domain. I see the Set-cookie response header with correct value but browser is not setting it in its cookie section. no warnings, no errors whatsoever. In localhost since frontend/backend on same domain (localhost) and i set secure=false it works. BUT in production with this configuration secure=true, sameSite=none, httponly=false, browser do not set it.

This channel never disappoints with a true sting

That's the best CORS explanation ever!! thank you!!!

Oh my god. You made this SO clear, thank you so much, I was breaking my head around this concept, trying to set things up with AWS. Many MANY thanks, from France, best regards !

Cannot thank you enough. Going through tens of SO posts, but seeing everything in one place like this helped click it all together.

Seriously great video. I've been trying to figure all this out for days and this video was 100% exactly what I needed, really awesome stuff.

I was actually looking for the cookies content. Was stuck in a MERN project and can't able to access the backend cookies 🍪 on to the frontend. Thanks for the video.

Saved tons of time! Thanks🙏

I can't express my appreciation

Thanks Steve for the video. Do you have video for passing Authorization in header for CORS

You were right, I keep coming back to this video haha

Wow. This is absolute gold! Thank you so much for doing this! There are so many things to this that I'm going to have to watch this a few times, but that's not your fault. Your explanation is really good. I will take some time to wrap my head around this haha

Absolute great content ! THX :)

If I refresh the site, the cookie disappears under "Application" in chrome inspector. Anyway I just changed the servers port from localhost to 127.0.0.1 and changed SameSite=None to SameSite=Lax and now cookie stays even after refresh. So your video still helped me, thanks!

my dude steve is the bob ross of programming

That was very helpful, thank you

really great video. Was using req.origin as the "allow-origin" value just for demo? For CSRF protection in production, is that ok? I can't find a proper way to use auth jwt http-only in a public b2c style app because http-only requires credentials: true which requires known origins which for an publicly open app we won't know.. Thanks so much.

Great explanations. Thanks.

Does cors enabled server treat the domain name as cross origin or same origin? I mean the host ip could be considered as 127... and localhost as domain name?

Hey Steve, is this video still up-to-date? I'm working on a project with a very similar scenario... everything was working while on localhost, I read the mozilla documentations and had implemented everything as you have done in this video. However, when deploying it to a remote server and accessing it over https, the browser wont set the cookies from a cors request anymore, not even with a "Secure" attribute set. Now I am reading some comments on stack overflow, stating that browsers "generally refuse to set such third party cookies", which is in complete contradiction to your video and to the explanations on the mozilla doc... what is your opinion to all of this?

Hi Steve, I am still a little lost. How can someone use a JWT with cors then? Where else can I store it, if JS cannot access set-cookies?

You cool bro. From Belarus with brother's love

easy to understand with you, thank you

Thank you. But you did not explain about fetching from a mobile device for example from an iphone. cross site cookies wont be sent. Can you please talk about this?

Hi good explanation Brother although my problem has not been fixed, I use react with laravel sanctum for jwt token I think there is a problem with how they handle cors or the axios does not work propery

Excellent job, thank you so much.

Great video! Though I've been having issues setting my cookie in the browser when I have my server deployed on Heroku and my frontend deployed on Netlify. It works on localhost but not in production. Do you happen to have any idea why the cookie is not being set? The cookie is being passed to the response in the Set-Cookie header, but for some reason it is not being set in the response.

Doesn't work anymore, right? The warning also said the same around 30 mins in video

can you please help me im writing a server that sends session cookies (using express session), and a frontend website that makes request to it. It worked fine locally when i set up both the server and the website on different ports and also got the warning sameSite=lax when changed it to localhost. But when i deployed the server and the website, I changed to sameSite to none (as it will be cross site request) and set secure to true but even then I'm not receiving cookies from my response. pls help UPDATE: I tried setting samesite to lax and deployed it again, i got the same warning "samesite=lax should be set to none" and when i set to none, i get no cookie back :(

Excellent video.

A great video indeed sir, Please help me out here, I have created a rest API using node and express which i hosted at localhost:8080 and it working just fine with postman. Now i created a separate frontend project at localhost:5500 with vanilla js not any framework so i get the CORS error when fetching the api then i updated by backend use the cors and set the desired option and when i sent a request from port 5500 to port 8080 it set the cookie in res headers i mean api send back the token in res but the cookie get set at the api endpoint like i made a fetch a request from localhost:5500 to localhost:8080 and in response i get the json messge but the cookie has been set at the origin localhost:8080 , although i'm still able to access the cookie but why it set on the backend endpoint please help

damn this shit is a whole lot more convoluted than i ever thought haha And I've been doing web things since 2000s.

hello I need help, I have links hls live streaming on these links I have to enable the cors support, because now the view of the live channels, after a minute is blocked, for this I have to enable sharing between the origins can you help me? Taking into account that I cannot access the server so I should bypass the cors, can you help me?

But fetch and cors are the same? I use fetch to bring data from an public api to my website without cors

What about set in browser a httpOnly cookie.?

Can somebody segment this video?

Thank you!

Was it just me or you guys also noticed that there is an Om 🕉 sound in the background after 15:30 .

saved my ass bro

great 10x :-)

Thank you so much for your efforts 🌹🫶🫶 i had one problem that the Cookie Request header will not be sent in Firefox 106.0.5 64bit on ubuntu i will test. it on windows and leave a comment. i think this because 3rd party cookie are blocked by default in firefox

Thank you !!