I've seen many variations of this question here, but as far as I can tell, my setup should be working.

I'm working on a Next.js application that's sending a PUT request to our backend, which is supposed to set a cookie with specific data that can be accessed by app.mysite to prefill some forms.

I'm making the request from start.mysite to api.mysite using fetch:

const response = await fetch("api.mysite",
    {
      method: 'PUT',
      credentials: 'include',
      headers: {
        'Content-Type': 'application/json',
      },
      body: ... 
    }

The API does it's thing, then creates that cookie:

context.Response.Cookies.Append(
    cookieName, 
    JsonSerializer.Serialize(data), 
    new CookieOptions()
{
    
        Path = "/",
    
        HttpOnly = true,
    
        Secure = true,
    
        SameSite = SameSiteMode.Strict,
    
        MaxAge = TimeSpan.FromMinutes(5),
    
        Domain = mysite,

    }
);

When the browser makes the API request, I see the preflight request, which seems to return successfully, and the response from the API includes the headers:

access-control-allow-credentials: true
access-control-allow-origin:  # this matches the origin of the request headers
set-cookie: prefillData=..{data}..; max-age=300; domain=mysite; path=/; secure; samesite=strict; httponly

Unfortunately, this cookie isn't saved in the browser (Application -> Cookies). When I've run Chrome with CORS disabled, the cookie does work as I expect it to.

Is this some CORS issue with trying to set a cookie for a parent domain? Or is it an issue with SameSite=strict? I've seen Chrome fail to set the cookie and show a warning in other cases where the cookie is misconfigured, but in this case I can't tell what's wrong.