Passing Cookie headers to Server having external host

[itssumitrai]

Hi,

Sveltekit Load Input has the fetch which should be used instead of the global fetch. According to the documentation, it doesn't pass Cookies if the hostname is different.

https://kit.svelte.dev/docs/loading#input-fetch

Now here is my situation, we have An Api server (having a different hostname which is pretty common) which supports CORS for our domain. The api request requires user's credentials (user cookie header). Previously we were just using fetch with credentials:include which would include cookie header for the different domain. But Sveltekit's fetch behavior doesn't follow this normal behavior, it would not include the Cookie header at all even if you set the credentials: include

https://developer.mozilla.org/en-US/docs/Web/API/fetch#credentials

Now I can understand it might be decided for security risk, but its also a valid use case. The only way around I can see is to use an endpoint as a proxy. But that defeats all the benefits of using CORS in the first place with the extra Round trip to the server.

[johnnysprinkles]

This would be fixed by #5195, which would let you forward headers any way you like... emulating the browser security model or taking advantage of the omnipotence that comes with server side code.