As soon as we get a real login + cookies + cors, check how we can make fetch call including the token httpOnly security token.
In theory it should be something straight forward:
fetch('https://example.com', {
credentials: 'include'
})https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch
https://security.stackexchange.com/questions/53359/are-httponly-cookies-submitted-via-xmlhttprequest-with-withcredentials-true
The second question is: will the HTTPOnly cookie be submitted to the token endpoint by the browser with my XHR if I set withCredentials=True?
Yes it will. HTTPOnly protects from JavaScript itself on the client, it doesn't affect HTTP requests.
As soon as we get a real login + cookies + cors, check how we can make fetch call including the token httpOnly security token.
In theory it should be something straight forward:
https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch
https://security.stackexchange.com/questions/53359/are-httponly-cookies-submitted-via-xmlhttprequest-with-withcredentials-true
The second question is: will the HTTPOnly cookie be submitted to the token endpoint by the browser with my XHR if I set withCredentials=True?
Yes it will. HTTPOnly protects from JavaScript itself on the client, it doesn't affect HTTP requests.