I think I misunderstood the management of cookies with xmlhttprequest. I have a server that responds to the XMLHttpRequest made in javascript. My server returns Allow-Control-Access-Origin, Access-Control-Allow-Headers, Access-Control-Expose-Headers and Access-Control-Allow-Credentials headers with the correct value.
I'm doing a Digest Authenticate in a server with javascript, no problem in that. I correctly receive the WWW-Authenticate header from server. I process and send to the server the Authorization header with all the digest-response and everything is ok.
The problem is, when the digest-challenge is successful, my server returns a Set-Cookie Header. I have to get it and add to the rest of all of my xhr request.
The browser (using Chromium and Chrome) won't let me access to the header doing:
xhr.getResponseHeader("Set-Cookie");
Ok, in the XMLHTTPREQUEST Level 2 it says: "Returns all headers from the response, with the exception of those whose field name is Set-Cookie or Set-Cookie2"
Ok, so I can't access it, but what are the alternatives? Using the Chrome API for cookies (at the moment I haven't read anything about it), but I want to use the most standard method as possible.
Does:
xhr.withCredentials = true;
mean the browser automatically gets the set-cookie and sends cookie headers??
From CORS spec http://www.w3.org/TR/cors/#make-a-request-steps:
Whenever the make a request steps are applied, fetch the request URL from origin source origin with the manual redirect flag set, and the block cookies flag set if the omit credentials flag is set. Use method request method, entity body request entity body, including the author request headers, and include user credentials if the omit credentials flag is unset. Exclude the Referer header if source origin is a globally unique identifier.
As you correctly says - cookies are added by browser if you use withCredentials.