Need clarification on httponly cookie restrictions on firebase functions (v2)
Does anyone know how the firebase authentication client is sending the __session cookie under the hood if the preflight request does not allow Access-Control-Allow-Credentials: true
. Is it using instead non-httponly (js accessible) cookies and sending it in a manual “Cookie: ” header from the fetch api or similar ajax?