xhr.withCredentials = true; does not work in chrome

Question

I have problem authenticating CORS request in Chrome.

I've Single Page Application running on localhost and webservices running in Azure. I log in using using OpenIdConnect.

When I do CORS request in EDGE to my backend like this, authentication works:

$.ajax({
   type: 'get',
   url: buildBackendUrl("api/Account"),
   xhrFields: { withCredentials: true }
});

however the same does not work in Chrome. When I enter the webservice url to browser manually, the request is authenticated.

I've examined request headers for CORS request and the difference is in cookies:

• Edge: ARRAfinity=...; AspNetCore.Cookies=...
• Chrome: ARRAfinity=...

Why Chrome does not include all cookies?

EDIT: here are request catched by fiddler:

1. REDIRECT when I press login:
   myapp.azurewebsites.net/api/Account/login?returnUrl=http://localhost:46563/
2. Since I'm already logged in no need to go to login page. Redirect
   myapp.azurewebsites.net/signin-oidc
3. REDIRECT BACK: localhost:46563/
4. CORS made from Localhost: myapp-dev.azurewebsites.net/api/Account

In neither, request nr3 or 4 I don't see the cookies.

Anyway, response of request nr2 (myapp.azurewebsites.net/signin-oidc) tries to sets cookies:

HTTP/1.1 302 Found
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 0
Expires: -1
Location: http://localhost:46563/
Set-Cookie: .AspNetCore.Correlation.OpenIdConnect.3ifhkwCQkMuZkTgBxYiKMOSoLgTX2nIex-8aH-syh5Q=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/signin-oidc; samesite=lax
Set-Cookie: .AspNetCore.OpenIdConnect.Nonce.CfDJ8FG-d2csck1FsQu2pwqnsxLd4w9YWobqchk1w3xMgy7bCX_KilCuRxuj4U0bSTAL-dD_iwdEaZI6pclqlP-3f7QBuKUMS379DFiBPd_tkEkyB_IYVWzJsR1xtw-_qcS1pQL6ial_C2ywbSwRucBxUqtDPMcuFEIomNDDnklpqWUmS_5Xb_tB23Ew7b14M861pL1CtJ18uPqgu-nOgn1RygqhBhMECoQfQ7YhXN_BtfiIbdPfw00jWNfMVc5G1B-SnT_eq80_RmxQ4_JOX3ZJfiI=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/signin-oidc; samesite=lax
Set-Cookie: .AspNetCore.Cookies=...; path=/; samesite=lax; httponly

Answer 1

Theres new draft on cookie policy, called SameSite, currently implemented by Chrome and Opera.

Basically, cookies marked with SameSite=Strict are not sent with CORS request event if you set xhr.withCredentials = true;

In order to make it work, you have to disable SameSite policy on particular cookie. In case of ASP.NET Core 2.0 authetication cookie it was:

services.AddAuthentication(...)
    .AddCookie(option => option.Cookie.SameSite = SameSiteMode.None)
    .AddOpenIdConnect(...)