Safari: 11.0.1 OS Version: OS X 10.12.6 URLs (if applicable) : Other browsers tested: Chrome Version 61.0.3163.100: FAIL Firefox 56.0b3 (64-bit): OK What steps will reproduce the problem? 1. use HTTP basic auth with browser handled authentication (www-authenticate) 2. make a POST request to the same origin (https) with credentials: 'include' or credentials: 'same-origin' E.G. fetch("/some-path", {headers: {"Content-Type": "application/json", Accept: "application/json"}, credentials: "same-origin", method: "POST", body: "{}"}) 3. inspect request for presence of Authorisation header What is the expected result? Expect the browser to add the Header to the outgoing request What happens instead of that? Header is not present Please provide any additional information below. Attach a screenshot if possible. I initially raised this against the spec as i wasn't sure if it was specified behaviour or not. https://github.com/whatwg/fetch/issues/628#issuecomment-342555664 However I've been advised that this is a bug in the browser and it *should* have added the header Also filed against chrome at: https://bugs.chromium.org/p/chromium/issues/detail?id=782621