What credentials mode controls
The fetch credentials option decides whether the browser attaches cookies and authentication to a request. Getting this right matters because cookies carry session identity, and sending them to the wrong origin or failing to send them to your own can both cause bugs.
- omit never sends cookies with the request.
- same-origin sends cookies only to your own origin.
- include sends cookies even on cross origin requests.
Interaction with sharing rules
Cross origin requests with credentials include trigger stricter sharing rules. The server must return allow credentials true, and it cannot use a wildcard allow origin; it must echo the specific origin. If those conditions are not met, the browser blocks reading the response even though the request was sent.
- Use same origin as a safe default for your own api.
- Use include only when the cross origin server expects credentials.
- The server cannot wildcard allow origin with credentials.
Picking the narrowest mode that still works limits accidental cookie exposure.
Key idea
The fetch credentials mode chooses whether cookies attach, and using include cross origin demands a specific allow origin and allow credentials.