I have a top level site1.com that has a child iframe with src pointing to bot.com.
bot.com just contains a simple js script that does a fetch to auth.com/login which returns it a cookie with these params:
Domain=auth.com, SameSite=None, Path=/, Secure, HttpOnly & Expires in 1 hr
Then it does another fetch to auth.com/auth, but the cookie is not sent as expected.
Looking at the cookie in Chrome (latest ver) debugger I see it is partitioned to the top level site1.com. Research showed it's related to CHIPS - but my second call is from the same iframe, nested in the same parent page... why would it not send the cookie?
Eventually a silly solution where the initial fetch [to url that was setting the cookie] also needed to have
credentials: include(I was already doing this on second fetch). The initial Mozilla Fetch API docs I was referring to had no mention of it affecting accepting a cookie, but later I found it mentions it applies to send & receive here.