I have a bit of a weird use-case in mind for FedCM where I have a single page application which has previously performed authentication using something like the OAuth Password Grant Flow — essentially username + password typed into the SPA, even though it is not actually the identity provider. That's the context for this question.
When reading the FedCM spec, it just says we include cookies following credentials: include from fetch, but there isn't anything that explicitly says if client-side set cookies would or would not be included. It seems likely that they are included, but I'm just trying to gain some certainty around this.
I have a bit of a weird use-case in mind for FedCM where I have a single page application which has previously performed authentication using something like the OAuth Password Grant Flow — essentially username + password typed into the SPA, even though it is not actually the identity provider. That's the context for this question.
When reading the FedCM spec, it just says we include cookies following
credentials: includefromfetch, but there isn't anything that explicitly says if client-side set cookies would or would not be included. It seems likely that they are included, but I'm just trying to gain some certainty around this.