[Bug]: Missing Cookies in Cross-Origin AJAX Requests within iframe

[ages96]

What happened?

When interacting with an iframe embedded on a page, and clicking a button inside the iframe, an AJAX request is made with a different origin. However, the cookie header is not included in the request when it should be, leading to incomplete functionality.

Steps to reproduce the issue:

Expose local development server (running on http://localhost:80) to the internet using ngrok.
Run the following command: ngrok http 80. This will forward traffic from a public URL (e.g., https://4c37-2404-c0-2a10-00-1c16-c496.ngrok-free.app) to local server (http://localhost:80).

Embed the iframe with the following code in https://4c37-2404-c0-2a10-00-1c16-c496.ngrok-free.app page:

<div class="zpiframe-container zpiframe-align-left">
    <iframe id="myIframe" src="http://localhost:8000/little-red-crab/menus?=iframe" width="100%" height="500"></iframe>
</div>

Interact with the iframe (click a button inside it) that triggers an AJAX request.
Observe the request headers in the browser's developer tools.

What did you expect to happen?

I expected the Cookie header to be present in the AJAX request header when the request is sent from the iframe, especially when it is a different domain.

Version

3.x

What browser are you seeing the problem on?

Chrome

Relevant log output

When the iframe and its content originate from different domains (using ngrok), the request header looks like this:

POST /little-red-crab/menus?=iframe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: id-ID,id;q=0.9
Connection: keep-alive
Content-Length: 15
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: localhost:8000
Origin: http://localhost:8000
Referer: http://localhost:8000/little-red-crab/menus?=iframe
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
X-CSRF-TOKEN: 2iicLHjJdUQ27yQy5HyVb1wr6WgVNynASKAcBVGg
X-IGNITER-REQUEST-HANDLER: localBox::onChangeOrderType
X-Requested-With: XMLHttpRequest
sec-ch-ua: "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"

When the iframe and its content originate from different domains (without using ngrok), the Cookie header is properly set in the request:

POST /little-red-crab/menus?=iframe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: id-ID,id;q=0.9
Connection: keep-alive
Content-Length: 13
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: posbiz_online_session=eyJpdiI6IjY1NzRjN2Q2Y2ZhZTg1ZGI1MTgxMWM4N2Y1ODdlNjZkIiwidmFsdWUiOiJkNGY2NmM1OTBmMDg4MTdjNzMxZTAwZmY3ZjZiZDEzNTU1Y2IyMDExMjhhYjJjZmZiNzk3ZGQ5NzZkZmEwOTYwIiwibWFjIjoiOTQzZjJjODRhMmZlMzUzODY3ZDQxZWFiOTgwYzA2YWNiZGQ3MjgxZTA1YWIzZDVlNTYyNjljN2I5YmNkMmE4YyIsInRhZyI6IiJ9
Host: localhost:8000
Origin: http://localhost:8000
Referer: http://localhost:8000/little-red-crab/menus?=iframe
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
X-CSRF-TOKEN: sWRMUeoCAVstZR2rHIGQNQXIbMaiqNEGzORSwKqb
X-IGNITER-REQUEST-HANDLER: localBox::onChangeOrderType
X-Requested-With: XMLHttpRequest
sec-ch-ua: "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"