Credentials: 'include' not including Cookie header

Question

I'm using credentials: 'include' and mode: 'cors' on the client. On the server I see access-control-allow-credentials: true and access-control-allow-origin: https://dev.com:9443 headers. I don't see my cookie header though and I can't seem to find why it isn't sending. Let me know if I can provide any further details.

Fetch request

fetch(url, {
  method: 'get',
  credentials: 'include',
  mode: 'cors',
  headers: {
    'Content-Type': 'application/json'
  }
});

Options Request Headers

:authority: prod.fakedomain.com
:method: OPTIONS
:path: /Search
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,fr;q=0.8,la;q=0.7
access-control-request-headers: content-type
access-control-request-method: GET
cache-control: no-cache
dnt: 1
origin: https://dev.com:9443
pragma: no-cache
referer: https://dev.com:9443/
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

Options Response Headers

access-control-allow-credentials: true
access-control-allow-headers: content-type
access-control-allow-methods: GET,HEAD,POST
access-control-allow-origin: https://dev.com:9443
access-control-max-age: 1800
allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
content-length: 0
date: Mon, 04 Feb 2019 03:45:06 GMT
status: 200
vary: Origin
x-application-context: application:8080

Get Request Headers

:authority: prod.fakedomain.com
:method: GET
:path: /Search
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,fr;q=0.8,la;q=0.7
cache-control: no-cache
content-type: application/json
dnt: 1
origin: https://dev.com:9443
pragma: no-cache
referer: https://dev.com:9443/
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

Get Response Headers

access-control-allow-credentials: true
access-control-allow-origin: https://dev.com:9443
content-encoding: gzip
content-type: application/json;charset=UTF-8
date: Mon, 04 Feb 2019 03:45:07 GMT
status: 200
vary: Origin,Accept-Encoding
x-application-context: application:8080

Answer 1

I finally find out that problem just browser not allow two not same domain share any cookie(except for the same second level domain), it's beyond credentials: include can do, after 2 hours trying... I find out credentials: include just meaning u can send cookie but it doesn't meaning you can send cookie with two different domain..

Whatever you do, change browser setting、set cookie's SameSite any way, just can't do that...

So that is my conclusion，hope u get it...

Answer 2

I was able to resolve this issue by going into my Safari privacy settings and unchecking Prevent cross-site tracking