Based on your description and the provided configuration, here are the key points and troubleshooting steps for your issue: ### 1. Domain and Cookie Settings - Same Domain: You are running both your frontend and Ory Kratos on

<http://abc.com|abc.com>

, which is correct. Ory requires that your UI and Kratos are on the same top-level domain for cookies and flows to work properly. Subdomains are also supported, but different top-level domains are not [[Self-service flows: Browser flows for client-side apps](https://www.ory.sh/docs/kratos/self-service#browser-flows-for-client-side-apps-single-page-apps-reactjs-angular-nextjs-)]. - Cookie Settings: You have set

secure: false

and are running with the

--dev

flag, which is correct for local development. This allows cookies to be set over HTTP [[Cookie settings](https://www.ory.sh/docs/kratos/guides/configuring-cookies)]. ### 2. CORS and Credentials - CORS: You have added

<https://abc.com>

to

cors.allowed_origins

, which is required for cross-origin requests to work [[CORS settings](https://www.ory.sh/docs/kratos/guides/setting-up-cors)]. - Credentials: When making AJAX requests (such as with Next.js), you must ensure that credentials (cookies) are included. In the Ory SDK, this is done by setting

withCredentials: true

in the configuration. If you use

fetch

, set

credentials: 'include'

[[Cookie-based security model](https://www.ory.sh/docs/security-model#http-cookies)]. ### 3. Common Pitfalls - Public Suffix Domains: If your domain is on the [public suffix list](https://publicsuffix.org/), cookies cannot be set. Make sure

<http://abc.com|abc.com>

is not a public suffix [[CSRF troubleshooting](https://www.ory.sh/docs/troubleshooting/csrf)]. - Mixing localhost and 127.0.0.1: Ensure you are not mixing these in your configuration or requests, as they are treated as different domains [[CSRF troubleshooting](https://www.ory.sh/docs/kratos/debug/csrf)]. - SameSite Attribute: In

--dev

mode,

SameSite=Lax

is allowed with

secure: false

, but in production, you must use HTTPS and

secure: true

[[CSRF troubleshooting](https://www.ory.sh/docs/kratos/debug/csrf)]. ### 4. Debugging Steps - Check Set-Cookie Header: In your browser's network tab, inspect the response from the registration flow initialization. Ensure the

Set-Cookie

header is present and not blocked. - Check Cookie Storage: In the browser's Application tab, verify that the cookie is actually being stored for

<http://abc.com|abc.com>

. - Check for JavaScript Errors: The error message "Enable JavaScript and cookies to continue" typically means cookies are not being set or sent. This can be due to misconfiguration or browser settings. ### 5. Example SDK Configuration Make sure your Ory client is configured like this:

js import { FrontendApi, Configuration } from "@ory/client"  const ory = new FrontendApi(   new Configuration({     basePath: "<https://abc.com/api/.ory>",     baseOptions: {       withCredentials: true, // This is crucial!     },   }), )

[[Cookie-based security model](https://www.ory.sh/docs/security-model#http-cookies)] ### 6. Additional Notes - If you are using a reverse proxy or custom domain setup, ensure that all headers (especially

Set-Cookie

) are properly forwarded and not stripped. - If you are still facing issues, try running both frontend and Kratos on the exact same domain and port to rule out subtle domain mismatches. --- Summary: Your configuration appears correct for local development. The most common cause for your error is that cookies are not being set or sent due to missing

withCredentials: true

in your AJAX requests, or a subtle domain mismatch. Double-check your browser's network and application tabs for cookie activity, and ensure your requests include credentials. If the issue persists, review your reverse proxy (if any) and confirm your domain is not on the public suffix list. If you need more targeted help, please provide the exact network request/response headers (especially

Set-Cookie

) and your Ory client initialization code.

New message text here

If your request to

/self-service/registration/browser

returns a 403 with the message "Enable JavaScript & cookies" and does not reach your Kratos instance, this typically indicates a problem with how cookies and/or CORS are configured, or a domain mismatch. Here are the most relevant points from the knowledge sources: 1. Same Domain Requirement: Ory Kratos and your frontend must be on the same top-level domain. Subdomains are allowed, but different top-level domains are not supported for browser flows. For example,

<http://kratos.abc.com|kratos.abc.com>

and

<http://app.abc.com|app.abc.com>

will work, but

<http://abc.com|abc.com>

and

<http://another.com|another.com>

will not. Also, do not mix

localhost

and `127.0.0.1`—they are treated as different domains [[Browser vs. native apps](https://www.ory.sh/docs/identities/native-browser), [CSRF troubleshooting](https://www.ory.sh/docs/kratos/debug/csrf)]. 2. Cookies and CORS: - For browser flows, cookies (including CSRF tokens) must be set and sent with requests. - When using AJAX (e.g., with Next.js), you must set

withCredentials: true

(or

credentials: 'include'

with fetch) so cookies are included in requests [[Custom UI Integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-a-flow), [CSRF troubleshooting](https://www.ory.sh/docs/troubleshooting/csrf)]. - CORS must be configured to allow your frontend origin. However, Ory has a "deny by default" CORS policy and only allows origins explicitly configured [[Debug: CORS](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#debug)]. 3. Public Suffix List: If your domain is on the [public suffix list](https://publicsuffix.org/), cookies cannot be set, and you will get CSRF or cookie errors [[CSRF troubleshooting](https://www.ory.sh/docs/troubleshooting/csrf)]. 4. Reverse Proxy or API Gateway: If you are using a reverse proxy, ensure it is correctly forwarding all headers, especially

Set-Cookie

and

Cookie

. If these are stripped or altered, cookies will not work and you may see this error [[CSRF troubleshooting](https://www.ory.sh/docs/troubleshooting/csrf)]. 5. Browser Settings: Some browser extensions or privacy settings can block cookies or JavaScript, causing this error. Summary of what to check: - Ensure both your frontend and Kratos are on the same (sub)domain and protocol (HTTP/HTTPS). - Make sure your AJAX requests include credentials/cookies. - Confirm your CORS settings in Kratos allow your frontend origin. - Verify your domain is not on the public suffix list. - If using a reverse proxy, ensure it does not strip cookies or headers. - Double-check that you are not mixing

localhost

and

127.0.0.1

. If all of the above are correct and you still get the error, the knowledge sources do not provide further troubleshooting steps for this specific scenario. In that case, please provide more details about your network setup and any proxy or gateway in use. > References: > [Browser vs. native apps](https://www.ory.sh/docs/identities/native-browser) > [CSRF troubleshooting](https://www.ory.sh/docs/troubleshooting/csrf) > [Custom UI Integration](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#create-a-flow) > [Debug: CORS](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#debug)