Hi there,
I have a popover which first prompts the user to log in. This is an ajax request sent to our API, and the session information comes back over a http only cookie. Inspecting traffic from the popover makes it seem as if the headers aren't sent or are ignored, however it's difficult to tell for sure since network traffic is erased on navigation.
I don't believe this to be a CORS issue because if the user changes their cookie policy from "Allow from websites I visit" to "Always allow" the authentication works.
I'd first like to know: what causes this cookie to fail between these two browser settings? It's unclear to me how the 'websites I visit' distinction works, and why a browser extension launching doesn't count as interacting with the url / resource. I suspect if I have a better understanding of what's happening here I'll be able to craft a solution.
Secondly, would love any recommendtations on the best way to solve this problem. Ideally, we should be able to set the cookie without the user having to modify their settings since 95% of people will roll with the default. We also have control over the whole stack, so we can make changes to the API or the extension to corect the problem.
Thanks,
-Brian
