Safari seems to diverge from the other browsers (Chrome, Chromium Edge and Firefox) in how it treats the sending of cookies with requests with same-origin type="module" script tags, and it seems to exist even if "cross site tracking" is deactivated. At first I thought it was CORS related, but because the script is being served from the same-origin I believe CORS wouldn't be required. The only way I was able to accomplish actually sending cookies on such a request was with passing `crossorigin="use-credentials"`. This does seem similar in nature to these outstanding bugs: https://bugs.webkit.org/show_bug.cgi?id=171566 https://bugs.webkit.org/show_bug.cgi?id=171550 What's even stranger is that it _does_ seem to be fine with fetch(). I can successfully send a fetch() request for the same file in the console of the page (which should throw an error if the cookies were not included in the request).
I've created a minimal example of this here. https://positive-shallot.glitch.me (Edit link here: https://glitch.com/edit/#!/positive-shallot) You can see that the same-origin "client.js" script tag with type="module" sends no request cookies, but does send them when the script requests the same file with a fetch(). Somewhat confusingly it requires the "crossorigin" tag to have the request send the same origin cookie (as shown with the "client-use-credentials.js" script).
<rdar://problem/58946768>
Thanks for your report. WebKit was implemented based on old spec description (using "omit" by default), and the spec is now changed. This is fixed in bug 210326. *** This bug has been marked as a duplicate of bug 210326 ***