Skip to content

fetch(): What cookies are sent when "credentials": "include" and "cookies" are set? #39561

New issue
New issue
Open
#39569
Open
fetch(): What cookies are sent when "credentials": "include" and "cookies" are set?#39561
#39569
Labels
Content:WebAPIWeb API docsarea: Fetch/XMLHttpRequestgoal: clarity(Experimental label) Issues about unclear/confusing/inconcise content.help wantedIf you know something about this topic, we would love your help!
@DanKaplanSES

Description

@DanKaplanSES
DanKaplanSES
opened on May 18, 2025

MDN URL

https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch

What specific section or headline is this issue about?

https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#including_credentials

What information was incorrect, unhelpful, or incomplete?

I've been assuming this is how the "credentials": "include" and "credentials": "same-origin" work:

The browser stores a list of cookies, some of them related to credentials, some of them not. When the browser executes a fetch with "credentials": "include" or "credentials": "same-origin", the browser sends the credential-related cookies to the server behind the scenes. To send all stored cookies, the difference (i.e., all cookies - credential related cookies) must be explicitly added to a cookies header in the fetch() call.

  1. Is this accurate? Or does "credentials": "include" and "credentials": "same-origin" send all cookies, like this comment says?
  2. If "credentials": "include" or "credentials": "same-origin" and cookies contain overlapping keys, which one is sent to the server?
    1. If both are sent to the server, which one has precedence, the credentials or the cookies?

What did you expect to see?

I was reading this github comment, and couldn't confirm this detail (emphasis mine):

You should add them manually as headers. You can in fact use the same code for server and for client, because on client the Cookie headers are ignored and credentials: 'include' works instead.

fetch('/', {
  credentials: 'include',
  headers: {'Cookie': 'foo=bar;bar=foo'}
})

If this is true, can it be mentioned somewhere in this article?

Do you have any supporting links, references, or citations?

If I'm requesting information that seems more appropriate for reference documentation, maybe it should go here instead: https://developer.mozilla.org/en-US/docs/Web/API/Request/credentials

Do you have anything more you want to share?

This may be the appropriate content to modify:

Credentials are cookies, TLS client certificates, or authentication headers containing a username and password.

MDN metadata

Page report details

Metadata

Metadata

Assignees

No one assigned

    Labels

    Content:WebAPIWeb API docsarea: Fetch/XMLHttpRequestgoal: clarity(Experimental label) Issues about unclear/confusing/inconcise content.help wantedIf you know something about this topic, we would love your help!

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions