Will a CORS request set/send a cookie with SameSite=Strict if the cookie's domain attribute is set to the client's domain?
For example, if I make a request from cors.com to cors-api.com, will this configuration allow my cookie to be set and sent?
Set-Cookie: MY_KEY=<MY_VALUE>; Secure; HttpOnly; Domain=cors.com; SameSite=Strict;
No, you cannot set a Domain value that does not match the site setting the cookie - the browser should reject this.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Invalid_domains
The Domain is used to control if the cookie will be sent for subdomains of the originating site.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Scope_of_cookies
If you need cookies to be sent in a cross-site context, they must be set with SameSite=None; Secure.