Include credentials on cross-origin requests

A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, and port). Cross-origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell a browser to let a web application running at one origin (domain) have permission to access selected resources from a server at a different origin.

By default, CORS does not include cookies on cross-origin requests. To include credentials on cross-origin requests, you must change the CORS settings.

To include credentials on cross-origin requests:

  1. Navigate to your site definition item: /sitecore/content/<tenant>/<site>/Settings/Site Grouping/Site/CORS and click default.

  2. In the CORS section, in the Allow Origin field, enter the URL of the site.


    If the Allow Origin field value is empty or equal to "*", SXA ignores the Allow Credentials check box.

  3. Select the Allow Credentials check box.


For example:

When you access http://sxa from http://fake, without setting the Allow Credentials and Allow Origin fields, with the following script:

<script type="text/javascript">
        var xhr = new XMLHttpRequest();'GET', 'http://sxa/?device=1', true);
        xhr.withCredentials = true;

The response is:

Access to XMLHttpRequest at 'http://sxa/?sc_device=json' from origin 'http://fake' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

When you do set the Allow Credentials and Allow Origin fields:


The response is valid, with proper response headers without any errors: