Fetch() will not accept cross-site (foreign) cookies

The browser will not accept any cookies from fetch() responses made to foreign domains (any cross site scripting). There is no error, or warning. The browser silently ignores all Set-Cookie headers.

I wasted many hours trying to get a cookie to be accepted by the browser; and this is my conclusion. Please add a note to the MDN docs regarding this.


BTW, I also added the following to the cookie docs

Note: The domain must match the domain of the Javascript origin. Setting cookies to foreign domains will be silently ignored

Please review it.

In general, it was not obvious that neither Set-Cookie headers, nor document.cookie Javascript will accept foreign keys, and the browser will be silent about their rejection.

@chrisdavidmills I think you wrote the Fetch docs?

@jswisher yes, I did :wink:

@klahnakoski, sorry to hear about your troubles in this area. I’ve checked the cookie doc, and the wording looks good (I just gave it a small stylistic tweak).

For the Fetch docs, what wording would you suggest, for the note to add? I want to make sure that it represents the issue as accurately as possible, and provides the best help it can.

@chrisdavidmills Thank you for asking.

For the Fetch API

Instead of

By default, fetch won’t send or receive any cookies from the server, resulting in unauthenticated requests if the site relies on maintaining a user session (to send cookies, the credentials init option must be set).
Since Aug 25, 2017. The spec changed the default credentials policy to same-origin . Firefox changed since 61.0b13.

how about

  • fetch won’t receive cookies from a foreign site: You can’t establish a cross site session using fetch. Set-Cookie headers from other sites are silently ignored.
  • fetch won’t send cookies, unless you set the credentials init option. (Since Aug 25, 2017. The spec changed the default credentials policy to same-origin. Firefox changed since 61.0b13.)

@klahnakoski thanks for your suggestions — this looks good to me.

I have updated https://wiki.developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch with your text, and also added the same information to https://wiki.developer.mozilla.org/en-US/docs/Web/API/Fetch_API#Concepts_and_usage

Wait here,

I managed to send and set foreign cookies, on Chome and Firefox, not tested for Safari since I don’t use Apple, with proper CORS header, SameSite=None; Secure, and credentials: include.

Access-Control-Allow-Credentials must be true, and Access-Control-Allow-Origin must not be ‘*’. Set it to $http_Origin instead if you what the same behavior.

Btw, to send foreign cookies, Access-Control-Allow-Headers must include Cookie. I am not sure whether * will work.

However, anyway, the cookie will be set to the requested origin, not the origin making CORS. This is anyway impossible I think.