CORS Fetch Authentication Using Browser's Session Cookie

I have a server that stores session cookies and you can log onto it using a page ( that runs in the browser. The browser then stores a session cookie for this domain.

Now I want another page ( upon initialization to make a GET request using JavaScript to the first page ( which should check if a session cookie exists in the browser and validate it, if correct he should respond with the session's username (however this is retrieved from the cookie). Of course I cannot check in's JavaScript if there exists a session cookie for

Trying to solve this I ran into a few problems, one of which is of course CORS. I managed to avoid this problem by placing a reverse proxy in front of that adds all required CORS headers to the response. besides adding the headers, the proxy only tunnels requests through (eg. ->

Now when I call the handler through the rev proxy from just another browser window directly (eg., I get the correct response. The handler from's backend finds the session cookie, reads out the username and passes it back. BUT when I try to make the same call from JavaScript inside (fetch("")), I receive null, meaning he did not find the cookie (note that the request itself has status 200, meaning it did reach the backend of

I have the feeling I am missing a crucial point in how cookies are used by browsers but I cannot find any useful information on my specific problem since I believe it is a rather unusual one.



See the MDN documentation:

fetch won’t send cookies, unless you set the credentials init option. (Since Aug 25, 2017. The spec changed the default credentials policy to same-origin. Firefox changed since 61.0b13.)