The Cookie-header is missing when sending a credentials: true-fetch-request in a Tampermonkey userscript in Chrome even though CORS is configured correctly. What is the problem?
Additional information:
The same code works as expected in a Tampermonkey userscript in Firefox.
I have an API endpoint on a cross-origin server which is properly configured to accept a specific fetch-request with credentials: true.
This is my current code:
fetch('https://example.com/api/my/endpoint', {
credentials: 'include',
headers: {
'Content-Type': 'application/json'
}
});
The OPTIONS-preflight-request to example.com is being made successfully and returns with the following headers:
access-control-allow-origin: https://requestingsite.com
allow: GET, OPTIONS
access-control-allow-methods: GET, OPTIONS
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Cookie, Authorization, Pragma
access-control-allow-credentials: true
After that, the GET-request to example.com is made. It works as expected in Firefox - it sends the necessary Cookie-header in the request.
It doesn't work in Chrome, though. The request in Chrome contains the necessary Origin-header and matches what is inside the header access-control-allow-origin returned by the server.
