Chrome not sending any cookies for localhost

Question

I'm running Chrome Version 91.0.4472.77 (Official Build) (x86_64) on Max OS Catalina 10.15.7.

I have a frontend and backend, located at fe.example.com and be.example.com (not really). When I visit fe.example.com, I see many cookies listed as .example.com and these cookies are all included with backend requests to be.example.com.

However, for local development, I have an /etc/hosts record mapping localhost.example.com as an alias for 127.0.0.1. I created a local CA and instructed my OS to trust it, used it to generate a cert, and when I visit https://localhost.example.com, Chrome indicates that this is a secure and trusted connection. When I click on the lock icon and select "Cookies", I can see all the cookies I care about listed in the "Allowed" tab, and none of them listed in the "Blocked" tab. There are no requests listed in the DevTools network tab if I check the "Requests with blocked cookies" box. BUT:

There are no cookies sent with any requests. The backend does not recognize that it received any cookies and the network tab doesn't list a cookies header at all under the request headers. "Copy as cURL" also produces a command with no cookies. Where each request in the Network tab for fe.example.com has a "Cookies" subtab which provided detailed information about why each cookie was/wasn't included, the requests sent from localhost.example.com actually have no "Cookies" tab at all.

This seems quite similar to this past bug. The chrome://flags/#network-service flag no longer exists in my version of Chrome (which is up to date), and the chrome://flags/#site-isolation-trial-opt-out flag did not resolve the issue (and seems to be fairly dangerous to boot).

I don't know what the discriminating factor is between the two sites, but the only thing I can imagine is that it has to do with the fact that one domain name resolves to the loopback address and the other does not. I've tried searching for any information about Chrome treating localhost differently, and everything I've found indicates that Chrome should be more permissive about cookies on localhost, rather than less. The behavior is the same, by the way, if I point localhost.example.com at a locally running localbe.example.com instead of pointing it at be.example.com.

I've tried flipping every cookie-related experimental flag I can find to no avail. I also notice that Firefox behaves the same, at least as far as transmitting cookies from fe.example.com but not transmitting them from localhost.example.com. Both browsers list the relevant cookies as being set and matching the current domain, and neither browser lists any cookies as being "blocked."

Any ideas on how I can get Chrome to play nice with a local development environment?

NOTE: this SO post appears to be similar, but I don't think it's relevant, since I am always referring to my local servers by a domain name with multiple parts.

EDIT: The issue persists if I map the domain names to my private LAN IP address instead of to 127.0.0.1.

Answer 1

try this

open -a "Google Chrome" --args --disable-features=SameSiteByDefaultCookies,CookiesWithoutSameSiteMustBeSecure

Answer 2

This was totally a red herring, and actually turned out to be an Angular issue, not a browser configuration. The angular frontend did not explicitly set the withCredentials flag. In our deployed environments, that doesn't matter, because the FE and BE are served from the same port via a load balancer. In that case, someone (Angular or the browser?) sends cookies by default. If the hosts differ at all, even in port, then this configuration needs to be set explicitly on the XHR requests.