From 404963d029edd568773e75a24b2841983d710bca Mon Sep 17 00:00:00 2001 From: wbamberg Date: Thu, 20 Jun 2024 11:07:46 -0700 Subject: [PATCH] Add a note about SameSite --- files/en-us/web/api/fetch_api/using_fetch/index.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/files/en-us/web/api/fetch_api/using_fetch/index.md b/files/en-us/web/api/fetch_api/using_fetch/index.md index c66ee9a8d2400ac..3a3c53494a46194 100644 --- a/files/en-us/web/api/fetch_api/using_fetch/index.md +++ b/files/en-us/web/api/fetch_api/using_fetch/index.md @@ -192,6 +192,8 @@ To control whether or not the browser sends credentials, set the `credentials` o - `same-origin` (the default): only send and include credentials for same-origin requests. - `include`: always include credentials, even cross-origin. +Note that if a cookie's [`SameSite`](/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value) attribute is set to `Strict` or `Lax`, then the cookie will not be sent cross-site, even if `credentials` is set to `include`. + Including credentials in cross-origin requests can make a site vulnerable to {{glossary("CSRF")}} attacks, so even if `credentials` is set to `include`, the server must also agree to their inclusion by including the {{httpheader("Access-Control-Allow-Credentials")}} in its response. Additionally, in this situation the server must explicitly specify the client's origin in the {{httpheader("Access-Control-Allow-Origin")}} response header (that is, `*` is not allowed). This means that if `credentials` is set to `include` and the request is cross-origin, then: