Apollo Client HttpLink does not send cookies with "same-origin" in subdomain scenario

Apollo's HttpLink does not send cookies with the "same-origin" policy, although "same-origin" is satisfied in the present scenario according to the specification:

  • auth.example.com sets cookies for the domain example.com
  • the cookies should be sent on requests to api.example.com

The subdomains should fall under "same-origin", but the cookies are not sent along (API responds with 401 because of missing cookies, also confirmed in browsers network analysis). CORS is configured correctly (incl. access-control-allow-credentials). The fact that api.exmaple.com is a CNAME DNS record and finally lands on a different domain should not matter, according to my research, because the client does not notice this at the time of the request.

This is my HttpLink:

const hasuraHttpLink = createHttpLink({
  uri: 'api.example.com',
  credentials: 'same-origin'

Interestingly, this problem does not occur with Apollo's WebSocketLink, this works fine.

Can anyone confirm this or find find an error in my assumptions?

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum