Should credentialed, same-site, cross-origin requests be easier to enable?

[colinclerk]

The Fetch standards currently disallow using Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true

This policy requires developers to take an extra step when enabling credentials on same-site but cross-origin fetch requests. Instead of using a * wildcard, they must explicitly return the origin they are allowing.

Today, browsers are defaulting cookies to SameSite=Lax, which takes priority over CORS. Even with credentials: "include" and CORS properly configured, a cookie set to SameSite=Lax won't be included with the cross-origin request.

So, I believe a case can be made that disallowing Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true is a redundant protection.

Some potential options:

• Allow origin wildcards on credentialed requests
• Introduce an alternative wildcard that allows all SameSite requests

[annevk]

I think a same-site value could be reasonable for Access-Control-Allow-Origin. In some sense that is duplicative of a request in #890 that thus far hasn't gained traction, but it's more narrowly scoped so let's see what people think.

[jub0bs]

@colinclerk

a cookie set to SameSite=Lax won't be included with the cross-origin request.

That entirely depends on whether the issuing origin is same-site with respect to the target origin. See https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/