Setting a cookie doesn’t always have the same behavior. If you set a cookie on a domain listed in the public suffix list using
SameSite=strict, it will get blocked by
CORS even if they request and the cookie are coming from the same domain.
This makes sense for certain domains that are primarily used to host the sites of multiple users like
compute.amazonaws.com for AWS resources or
githubpreview.dev which serves preview for GitHub Codespaces. You wouldn’t want a different user hosted on the same domain to be able to set cookies for your users' site because that would be a security issue.
A workaround is to use
SameSite=none and the prerequisite
Secure attribute to set the cookie, but this effectively allows cross site cookies which requires other security measures to lock down.
- This is another gotcha for GitHub Codespaces like how they don’t allow requests across ports from a preview
SameSiteis important to prevent cross site request forgery (CSRF) attacks