How to consume with JS App?

[ItsAndy]

Hey, having trouble consuming this with a JS app. Let's assume the endpoints are at api.domain.com but the client is loaded from domain.com. The CORS bit isn't really an issue but I can't use the refresh token because it's in an HTTP ONLY cookie. So, how would one go about consuming this API from a js client on a different domain?

[dystopiandev]

Same Issue.
Have you found a way yet? @ItsAndy

[jpaniorte]

Secure and HttpOnly cookies

A secure cookie is only sent to the server with a encrypted request over the HTTPS protocol. Even with Secure, sensitive information should never be stored in cookies, as they are inherently insecure and this flag can't offer real protection. Starting with Chrome 52 and Firefox 52, insecure sites (http:) can't set cookies with the Secure directive.

To prevent cross-site scripting (XSS) attacks, HttpOnly cookies are inaccessible to JavaScript's Document.cookie API; they are only sent to the server. For example, cookies that persist server-side sessions don't need to be available to JavaScript, and the HttpOnly flag should be set.

Scope of cookies

The Domain and Path directives define the scope of the cookie: what URLs the cookies should be sent to.

Domain specifies allowed hosts to receive the cookie. If unspecified, it defaults to the host of the current document location, excluding subdomains. If Domain is specified, then subdomains are always included.

For example, if Domain=mozilla.org is set, then cookies are included on subdomains like developer.mozilla.org.

Path indicates a URL path that must exist in the requested URL in order to send the Cookie header. The %x2F ("/") character is considered a directory separator, and subdirectories will match as well.

Read:
https://developer.mozilla.org/es/docs/Web/HTTP/Cookies