The first request hits:
https://somesite-api.com/auth/google
using fetch, where we are hitting a different domain (e.g. somesite-api.com), and is setting credentials=include.
The response headers seem to be correct:
access-control-allow-credentials: true
access-control-allow-origin: https://somesite-api.com
set-cookie: _my_session=really-long-cookie; Path=/; Expires=Thu, 06 Apr 2023 23:56:38 GMT; Max-Age=2592000; Secure; SameSite=None
I seem to be following the guidelines
None means that the browser sends the cookie with both cross-site and same-site requests. The Secure attribute must also be set when setting this value, like so SameSite=None; Secure
The CORS response includes the exact origin that is sending the request.
Access-Control-Allow-Credentials is set to true.
It's using Secure;SameSite=None
The Expires date is in the future.
The MaxAge is plenty large enough.
The frontend then reads the response, (something like { redirect: "someothersite.com?continue=https://somesite-api.com/finish" } and redirects to
someothersite.com?continue=https://somesite-api.com/finish
which then redirects back to
https://somesite-api.com/finish
On every other browser, this final request includes
cookie: _my_session=really-long-cookie
but on Firefox, the request does not include the cookie, and so it fails.
Is there some step I am missing?
I've looked at the following posts:
I've gone through this entire post and ensured I am doing everything it says: https://medium.com/swlh/7-keys-to-the-mystery-of-a-missing-cookie-fdf22b012f09
I am at a loss.
