is there a way to send httpOnly cookie?

[simpsonphile]

as the title says is there a way to send a httpOnly cookie in the header? it's not in headers by default. In documentation there is only one example with header Authorization: Bearer {token}

currently that's how request headers looks like:

POST /matchmake/joinOrCreate/chat_room HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en,et;q=0.9,pl-PL;q=0.8,pl;q=0.7,en-US;q=0.6
Connection: keep-alive
Content-Length: 25
Content-Type: application/json
Host: localhost:2567
Origin: http://127.0.0.1:3000
Referer: http://127.0.0.1:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="130", "Google Chrome";v="130", "Not?A_Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"

I would like to have additional data:

cookie:
authToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZGRyZXNzIjoiMHg4RWM2RTRkMTRiRTE0ZEI4M

some option like { withCredentials: true } would be nice in client settings

[endel]

Hi @simpsonphile, the JavaScript SDK should add withCredentials automatically if the client.auth.token is set, check here: https://github.com/colyseus/colyseus.js/blob/43d8a977fe3cac3a8d05dcedc16be8b6a497f9f4/src/HTTP.ts#L40-L56

[simpsonphile]

thanks for the reply :)
I found this solution you gave me but it won't work with the HttpOnly cookie (it can't be passed in js, it's stored in the browser and passed automatically if credentials: include is passed). it's more secure as scripts won't have access to such cookie