Access-Control-Allow-Credentials failure when trying to fetch the token

I’m building a small app with auth0 as a trial experience. Everything worked out pretty well when I developed locally, but now I deployed it to the web and got unexpected issues.

The error happens when I access /oauth/token:

Access to fetch at 'https://MYORG.auth0.com/oauth/token' from origin 'https://MYDOMAIN.COM' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'.

Here’s how the request looks (converted to curl):

curl 'MYORG.auth0.com/oauth/token' -H 'Referer: MYDOMAIN.COM/?code=CODE&state=STATE%3D%3D' -H 'Sec-Fetch-Dest: empty' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.106 Safari/537.36' -H 'Content-type: application/json' --data-binary '{"grant_type":"authorization_code","redirect_uri":"MYDOMAIN.COM","audience":"AUD","client_id":"CID","code_verifier":"WHATEVER","code":"WHATEVER"}' --compressed

Sent via curl it returns me a valid cookie, sent via the browser it results in the aforementioned error. Given it’s a POST request that sets a cookie and reading through MDN, it looks to me that the Auth0 SDK (I’m using https://cdn.auth0.com/js/auth0-spa-js/1.2/auth0-spa-js.production.js) is supposed to send the request with XMLHttpRequest.withCredentials, but more importantly, the server must reply with a Access-Control-Allow-Credentials header (which it doesn’t, based on curl).

Any ideas?

Apparently it was flutter all along.

The release build includes a service worker which has a handler like this:

self.addEventListener('fetch', function (event) {
  event.respondWith(
    caches.match(event.request)
      .then(function (response) {
        if (response) {
          return response;
        }
        return fetch(event.request, {
          credentials: 'include'
        });
      })
  );
});

As you can see, it forcefully injects credentials: 'include' into all the requests, thus making auth0 requests fail because they lack the Access-Control-Allow-Credentials.