确实需要使之生效：

• 访问权限-control-allow-credentials：true


• access-control-allow-origin：aaa.shared.com （不是通配符）


• 安全


• SameSite = None

• access-control-allow-credentials: true
• access-control-allow-origin: aaa.shared.com (not a wildcard)
• Secure
• SameSite=None

发送请求时，您只是想念一件事：凭据：包括 。

You were just missing one thing when sending the request: credentials: 'include'.

我创建了一个模拟终结点，您可以使用该终结点两次（在另一个域的控制台中）测试这一行代码：

I've created a mock endpoint that you can use to test this line of code twice (in the console of another domain):

fetch('https://***.free.beeceptor.com', { credentials: 'include' });

您会注意到Cookie将第二次发送。

You'll notice the cookie will be sent the second time.

如果模拟端点过期（不知道它会持续多久），或者有人将其销毁，则可以在 http://beeceptor.com ，其标头配置中包含以下JSON：

In case the mock endpoint expires (no idea how long it lasts), or if someone destroys it, you can recreate it on http://beeceptor.com with this JSON in the header configuration:

{
    "Content-Type": "application/json",
    "Set-Cookie": "test=value; Path=/; Secure; SameSite=None;",
    "access-control-allow-origin": "https://yourdomain",
    "Access-Control-Allow-Credentials": "true"
}