Inconsistent behavior of SvelteKit's wrapped fetch

[XIYO]

Description

While developing a todo list app, I discovered inconsistent behavior with SvelteKit’s internal fetch wrapper.

Environment & Context

• Backend runs on port 8080; SvelteKit runs on port 5173.
• Authentication is cookie-based; cookies issued by the backend are maintained by the client.

Issue

Here is a simple example:

// +page.js
export async function load({ fetch }) {
    const response = await fetch(`http://localhost:8080/api/members/${user.sub}/todos`, {
        // credentials: 'include' must be enabled to avoid a 401 error after form submission.
    });
    const todoPage = await response.json();

    return { todoPage };
}

• During the initial page load (both server-side and client-side), this code works correctly.
• However, after submitting a form using <form method="POST" use:enhance>, subsequent page reloads cause fetch to exclude cookies, resulting in a 401 authentication error from the backend.

Summary of the Problem

• Initially, cookies are automatically included on both server and client requests. But after form submission, fetch behaves like the browser's native fetch without including cookies.
• Ultimately, credentials: 'include' must be explicitly specified for all fetch requests, contradicting the original purpose of SvelteKit's wrapped fetch (automatically forwarding client headers).

Suggestions

• Clearly document when and how the internal SvelteKit fetch or the browser’s native fetch is used, including explicit scenarios.
• While it's appropriate from a security perspective for browsers to exclude cookies by default, SvelteKit's internal fetch should either explicitly require credentials: 'include' consistently or behave consistently by default.

Please share any alternative solutions or additional thoughts.
Thank you!