Sending Cookies with Fetch API Requests

To send cookies with the Fetch API the credentials property of the Request object passed to fetch() must be set appropriately.

The Fetch API spec defines the following values for credentials:

  • 'omit' - Exclude credentials from this request.
  • 'same-origin' - Include credentials with requests made to same-origin URLs.
  • 'include' - Always includes credentials with this request.

I have observed the majority of browsers seem to send same-origin cookies by default but this is not in conformance with the spec which states the default should be 'omit'. Edge seems to follow the spec correctly on this so it is always advisable to explicitly set credentials if required.