Cross-domain cookies in preflight requests

Question

Two components:

1. A React single page app on https://react.mycompany.com
2. A Apigee API proxy on https://apigee.proxy.com

On login Apigee sets a jwt cookie using the Set-Cookie header:

Set-Cookie: jwt={jwtoken};secure;httponly;path=/;samesite=none

On client side Chrome shows me this cookie for the frame https://react.mycompany.com :

name: jwt
value: XXX
domain: apigee.proxy.com
path: /
httpOnly: true
secure: true
sameSite: none

Now on non-auth requests Apigee checks the presence of the jwt cookie before processing the request.

The cookie is not sent on the OPTIONS preflight request and therefore all calls fail.

On client side we use the fetch() API with credentials: 'include' .

What am I missing here?

Answer 1

Browsers don't ever send cookies in preflight OPTIONS requests. So what the question describes is expected behavior. And the reason browsers don't send cookies in the preflight is because the spec for the CORS protocol requires browsers to exclude cookies and all other standard credentials (eg, the Authorization header) from the preflight. See https://fetch.spec.whatwg.org/#ref-for-credentials%E2%91%A5 , which states:

a CORS-preflight request never includes credentials

…and see also the answer a https://stackoverflow.com/a/50959576/441757 .

So the server the preflight is sent to must be configured to allow unauthenticated OPTIONS requests — and must respond to OPTIONS requests with a 200 OK even if a request doesn't include any cookies or other credentials. That's a fundamental requirement of the CORS protocol.