Sending cookie with request from subdomain

Even if you are calling the main domain from a subdomain, this is considered a cross-origin request.

Quote from the RFC 6454 which qualifies the "Origin" term:

Q: Why use the fully qualified host name instead of just the "top-
level" domain?

A: Although the DNS has hierarchical delegation, the trust
relationships between host names vary by deployment. For example, at many educational institutions, students can host content at
https://example.edu/~student/, but that does not mean a document
authored by a student should be part of the same origin (i.e.,
inhabit the same protection domain) as a web application for managing grades hosted at https://grades.example.edu/.

So all of the things you did are indeed required to make it work:

  • access-control-allow-credentials: true
  • access-control-allow-origin: subdomain.testing.parentdomain.com (not a wildcard)
  • withCredentials: true in the request

The SameSite=None cookie attribute is not required in this case because a request from a subdomain to another subdomain of the same domain is considered "same site" (Source).

So just check that everything is correctly set, it should work as is.


At beginning of your question you stated:

The cookie domain is set to .testing.parentdomain.com

but in the logged server response:

set-cookie: AWSALBCORS=N0bcThdgRFzrSfQVNIsffgsvY6T/y2Bp47RZJCueeSLOS7eEjo0AThiElXmww6fy2eynRyyt8gAB8di/Mqy1x+Ds8Ig1TumKkWnQiFvIkoELI/rEYYgyUxbEtUI4; Expires=Tue, 10 Nov 2020 20:39:36 GMT; Path=/; SameSite=None; Secure

the Domain=.testing.parentdomain.com; parameter is clearly missing.

I don't know which programming language you are using to set the cookie, but I strongly suggest you to check the call you use to set the cookie in your server response.