transformRequest with credentials: 'include' does not send cookies on Tile requests #13547
Description
mapbox-gl-js version
3.5.2
Browser and version
No response
Expected behavior
When transformRequest returns { credentials: 'include' }, all requests made by Mapbox GL JS — including vector tile (.pbf) requests — should automatically include any cookies stored for the target domain (in this case cdn-dev.mydomain.com).
This should behave the same as a normal fetch(url, { credentials: 'include' }), where cookies for cdn-dev.mydomain.com are correctly attached.
Actual behavior
transformRequest is executed for tile requests (confirmed with console logs).
Returning { url, credentials: 'include' } does not attach cookies to .pbf requests against cdn-dev.mydomain.com.
If a custom header is added (e.g. Authorization: Bearer …), the header is sent correctly — but the Cookie header is still missing.
Running fetch('https://cdn-dev.mydomain.com/...', { credentials: 'include' }) from the app does send the cookies as expected.
Link to the demonstration
No response
Steps to trigger the unexpected behavior
- Serve an app from https://app-dev.mydomain.com.
- Set a cookie for .mydomain.com (so it is visible to cdn-dev.mydomain.com).
- Configure a vector tile source pointing to https://cdn-dev.mydomain.com/.../{z}/{x}/{y}.pbf.
- Use the following transformRequest implementation:
const transformRequest = (url: string, resourceType: string | undefined) => { console.log('transformRequest called:', { url, resourceType }); if (resourceType === 'Tile' && url.includes('cdn-dev.mydomain.com')) { console.log('Adding credentials and JWT for CDN tile:', url); return { url: url, credentials: 'include', headers: { Authorization: Bearer ${tokenRef.current}, }, }; } return { url }; };
Note that I just put the custom Authorization header for test I do not need it and without it, it's still not working.
- Open DevTools → Network panel.
- Observe that: The Authorization header is correctly added.
The expected Cookie header is missing. - Run fetch('https://cdn-dev.mydomain.com/...', { credentials: 'include' }) in the console → the cookie is sent correctly.