[AngularJS] CORS and CSRF protection on different domain server and client ?

[Nahwin Rajan]

I'm trying to build an express and angular 2 app.
my server run on localhost:3000 and my client on localhost:3001.

I'm stuck on trying to secure my app from CSRF on this cross domain 
situation.

On my client I've set up the cors + csrf token as "XSRF-TOKEN",

/ CORS configuration
const originsWhiteList = {
  "http://localhost:3001": true   // front-end development port
};
const corsOptions = {
  origin: function(origin, callback) {
    callback(originsWhiteList[origin] ? null : 'Bad Request', origin);
  },
  credentials: true,
  methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
  allowedHeaders: ['Content-Type', 'Origin', 'Accept', 'X-Requested-With'],
  exposedHeaders: ['Content-Type', 'Expires', 'Last-Modified'],
  maxAge: 900 //in seconds, allowed cookies for 15 minutes => 900 seconds
}

app.options('api/*', cors(corsOptions));  // handle preFlight request 
http's method: "OPTIONS"
app.use(cors(corsOptions));

app.use( (req, res, next) => {
  res.cookie('XSRF-TOKEN', req.csrfToken(),
    {
      httpOnly: true,
      maxAge: 7200  //in seconds
    }
  );
  // TODO: delete the following couple line
  res.cookie('dummyCookie', 'you found me');
  console.log("---res.header: ---\n", res._headers);
  next();
});

my response from server would look like this:
---res.header: ---
 { 'x-dns-prefetch-control': 'off',
  'x-frame-options': 'SAMEORIGIN',
  'x-download-options': 'noopen',
  'x-content-type-options': 'nosniff',
  'x-xss-protection': '1; mode=block',
  'access-control-allow-origin': 'http://localhost:3001',
  vary: 'Origin',
  'access-control-allow-credentials': 'true',
  'access-control-expose-headers': 'Content-Type,Expires,Last-Modified',
  'set-cookie':
   [ 'XSRF-TOKEN=TQTcua0w-O0DTRLtvpNvjYnX2Tf0VgHzT4GI; Max-Age=7; Path=/; 
Expires=Tue, 21 Feb 2017 12:14:47 GMT',
     'dummyCookie=you%20found%20me; Path=/' ] }

notice the 'XSRF-TOKEN' but once on client side there is no trace of the 
cookie..

<https://lh3.googleusercontent.com/-J9q3e_0UPSk/WKwxKtFnfuI/AAAAAAAABHM/76IQgHDfR3Qq0zn8_B74195oivwYsmAagCLcB/s1600/Screen%2BShot%2B2017-02-21%2Bat%2B7.22.45%2BPM.png>


I'm not using "cookie-parser" on my server only "express-session". 
document.cookie() would result in empty string.

Can someone help me?

-- 
You received this message because you are subscribed to the Google Groups 
"Angular and AngularJS discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to angular+unsubscr...@googlegroups.com.
To post to this group, send email to angular@googlegroups.com.
Visit this group at https://groups.google.com/group/angular.
For more options, visit https://groups.google.com/d/optout.