My site a.domain exposes a page whose scripts perform AJAX queries (using fetch) to b.domain.
During the first visit to a.domain, a cookie is sent to the client with the following parameters :
"httpOnly" : "true"
"secure" : "true"
"domain" : ".domain"
"sameSite" : tried Strict, Lax and None
b.domain has the following response headers :
"Access-Control-Allow-Origin" : "a.domain"
"Access-Control-Allow-Credentials : true
"Access-Control-Allow-Methods" : "GET, PUT, POST, DELETE, OPTIONS".
"Access-Control-Allow-Headers" : "Content-Type, Authorization, Content-Length, X-Requested-With, Credentials"
And the headers of the fetch requests are :
"Content-Type" : "application/json"
"Accept" : "application/json"
"Credentials" : "include"
The cookie is well transmitted to a.domain or if I visit b.domain directly, but not in AJAX requests.
EDIT : the problem is the same whatever the value of the samesite parameter.
Is there a way to do that ? Thanks
Ok, found it.
The problem was related to a misunderstanding of the credentials parameter in the fetch requests. credentials is not a header but a parameter of the request.
Once the parameter is out of the headers (and written in lowercase) everything works normally.