Blog

SameSite=Lax versus None: aligning cookie policy with credentialed CORS

Cross-site credentialed fetches need SameSite=None; Secure and explicit Allow-Credentials on the API.

Published: 2026-01-02Updated: 2026-01-051 min read

cookiessamesitecors

Browser matrix

Safari ITP and Chrome partitioning may block third-party cookies even when CORS headers are perfect.

Prefer first-party API subdomains or token-in-header patterns when cookies are unreliable.

Capture Set-Cookie on the login response and the subsequent API request in one HAR.

Confirm Partitioned attribute expectations for embedded payment iframes.