Set-cookie blocked in non-https test environment web browser for REST API.

Hey,

I'm testing a REST API that is used for our IRIS Backend with a mobile app (Angular / ionic). 

The problem is that, our test environment does not yet have HTTPS capabilities, it's something we're going to set up ASAP, but right now we don't have it set up. 

We want to test the API endpoints via a web browser using either a test application built in Angular, or the app itself built with NPM via the browser. This means that the set-cookie headers are being blocked by the browser. 

Is there a way that we can allow the set-cookie header to be set in the browser for testing? 

It's also worth noting that if I test with a browser on my localhost, then the endpoints work as intended, but if I test using our remote test server, they do not, which is why I've tried adding CORS headers etc, but nothing seems to work so far. 

The requests also work as intended via Postman always.

My suspicion is that the issue is relating to javascript being blocked from accessing the HTTP headers: Set-Cookie - HTTP | MDN (mozilla.org) but I am out of ideas currently.


Things I've tried so far;

• Manually adding same-site ="none" and removing checks requiring HTTPS if same-site="none" in %CSP.Response
• Manually adding CORS headers to the writehttpcookie method in %CSP.Response
• Ensuring withcredentials is setup on the frontend requests

Any help would be greatly appreciated, 

Thanks