The browser will not accept any cookies from fetch() responses made to foreign domains (any cross site scripting). There is no error, or warning. The browser silently ignores all Set-Cookie headers.
I wasted many hours trying to get a cookie to be accepted by the browser; and this is my conclusion. Please add a note to the MDN docs regarding this.
Note: The domain must match the domain of the Javascript origin. Setting cookies to foreign domains will be silently ignored
Please review it.
In general, it was not obvious that neither Set-Cookie headers, nor document.cookie Javascript will accept foreign keys, and the browser will be silent about their rejection.
@klahnakoski, sorry to hear about your troubles in this area. I’ve checked the cookie doc, and the wording looks good (I just gave it a small stylistic tweak).
For the Fetch docs, what wording would you suggest, for the note to add? I want to make sure that it represents the issue as accurately as possible, and provides the best help it can.
By default, fetchwon’t send or receive any cookies from the server, resulting in unauthenticated requests if the site relies on maintaining a user session (to send cookies, the credentialsinit option must be set).
Since Aug 25, 2017. The spec changed the default credentials policy to same-origin . Firefox changed since 61.0b13.
how about
fetchwon’t receive cookies from a foreign site: You can’t establish a cross site session using fetch. Set-Cookie headers from other sites are silently ignored.
fetchwon’t send cookies, unless you set the credentialsinit option. (Since Aug 25, 2017. The spec changed the default credentials policy to same-origin. Firefox changed since 61.0b13.)
I managed to send and set foreign cookies, on Chome and Firefox, not tested for Safari since I don’t use Apple, with proper CORS header, SameSite=None; Secure, and credentials: include.
Access-Control-Allow-Credentials must be true, and Access-Control-Allow-Origin must not be ‘*’. Set it to $http_Origin instead if you what the same behavior.
Btw, to send foreign cookies, Access-Control-Allow-Headers must include Cookie. I am not sure whether * will work.