It seems to be a question that comes up often in different ways, but despite several hours of research I still haven't found a solution.
I currently face an issue in Safari 14 on MacOS BigSur where cookies are never sent by Safari on XmlHttpRequests to an api on the same root domain.
Indeed, i'm working on an Angular SPA where the client app is locally hosted at https://myapp.local and for tests purpose I have an api running locally on https://api.myapp.local.
For some requests, we need to attach 2 cookies that are originally set by the API. I am able to see the said cookies in the API responses and in the "storage" section of Safari's DevTools, however they are never sent back to the server for subsequent XHR requests. (XHR with credentials)
I did try different cookie's attributes but none of my tries were successful :
Nevertheless, I don't understand why Safari consider those cookies as 3rd party cookies (and blocks them) since the API is hosted on the same domain (on a subdomain to be more accurate) than the client web app. And, if I understood correctly, cookies should be sent by browsers for subdomains requests, both with sameSite=Lax and sameSite=None. Especially since it works perfectly on Firefox and Chromium browsers.
Anyway, if anyone has an idea or a solution I would be very interested to hear it because I don't know what to try anymore!
Thanks a lot !
I currently face an issue in Safari 14 on MacOS BigSur where cookies are never sent by Safari on XmlHttpRequests to an api on the same root domain.
Indeed, i'm working on an Angular SPA where the client app is locally hosted at https://myapp.local and for tests purpose I have an api running locally on https://api.myapp.local.
For some requests, we need to attach 2 cookies that are originally set by the API. I am able to see the said cookies in the API responses and in the "storage" section of Safari's DevTools, however they are never sent back to the server for subsequent XHR requests. (XHR with credentials)
I did try different cookie's attributes but none of my tries were successful :
sameSite=None, domain=myapp.local, Secure, httpOnly
sameSite=Lax, domain=myapp.local, Secure, httpOnly
Nevertheless, I don't understand why Safari consider those cookies as 3rd party cookies (and blocks them) since the API is hosted on the same domain (on a subdomain to be more accurate) than the client web app. And, if I understood correctly, cookies should be sent by browsers for subdomains requests, both with sameSite=Lax and sameSite=None. Especially since it works perfectly on Firefox and Chromium browsers.
Anyway, if anyone has an idea or a solution I would be very interested to hear it because I don't know what to try anymore!
Thanks a lot !
