Dev Tools · 2h ago
How Browsers Decide When to Send Cookies in Cross-Origin Requests
Browsers do not send cookies in cross-origin requests by default; developers must set credentials: 'include' in fetch calls. Even then, cookies are only sent if their Domain, Path, and SameSite attributes match the request. Servers must also respond with Access-Control-Allow-Credentials: true and a specific origin, not a wildcard.
Meridian48 take
This clarifies a common misconception that CORS alone handles cookies, underscoring the need for explicit credential configuration.
cookiescors