Firefox not sending cookie in Ajax request (XMLHttpRequest)

Question

I'm having a new problem with a cross-site JavaScript request and sending cookies, but only in Firefox.

I have this code

        $.ajax({
            type: "POST",
               url: "https://server.com/page",
               data: $('#formdata').serialize(), 
            xhrFields: {
                  withCredentials: true
               },
              success: function(html){ 
                   alert("Thank you for your submission") 
               },
               crossDomain: true
             });
    }

(context: it is in an example of how CSRF attacks work)

https://server.com/page relies on a session ID cookie to be sent. The cookie has been set, with SameSite set to None and the Secure flag included. myserver.com has the Access-Control-Allow-Origin set to include the site making this request. It also has

Access-Control-Allow-Credentials: true

However, in Firefox, the session ID cookie doesn't get sent. I am sure it used to before my most recent Firefox upgrade. I checked in a different tab and the cookie is there, and does have the correct settings.

It works in Chrome and it works in Safari.

Does anyone know if Firefox has changed its policy recently? Is there a setting I can configure?

My Firefox version is 104.0.2 (64 bit) and I am running on Mac (Monterey).

Answer 1

Never mind, I found it. Firefox's Total Cookie Protection prevents pretty much all cross-site cookie sending. Arguably a good thing but if, like me, you do want to enable cross-site cookies, go to Settings in Firefox and Privacy & Security. Under Enhanced Tracking Protection, click on Custom and uncheck Cookies.