Why is Sec-Fetch-Site: cross-site when redirecting to same-site

Question

Flow:

1. GET https://abc.example.com:8445/desktop/container (protected resource, redirect for saml authentication) response 302
2. GET https://xyx.test.com:8553 - does saml authentication and redirects (302) to https://abc.example.com:8445/desktop/sso/authcode
3. https://abc.example.com:8445/desktop/sso/authcode - responds with auth tokens in response cookies (same-site:strict) and redirects (302) to original request (https://abc.example.com:8445/desktop/container)
4. https://abc.example.com:8445/desktop/container - (token cookies are not sent in request hence again initiating saml authentication again)

Here in 4th request, I am expecting token cookies to be sent in request but they are not sent actually and Request Header set by browser Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: cross-site

Why Sec-Fetch-Site is cross-site? This (point 3 and 4) seems same-origin request.

If I set same-site: none for response cookies of 3rd request then it works fine i.e, these cookies are sent for the 4th request.

Answer 1

Clicking https://httpbin.org/redirect-to?url=https://stackoverflow.com/questions/78195772 makes three requests:

1. To httpbin.org, this is a cross-site navigation and therefore has Sec-Fetch-Site: cross-site.
2. To https://stackoverflow.com/questions/78195772, this is caused by the 302 Found response to the first request and therefore inherits its Sec-Fetch-Site header.
3. To https://stackoverflow.com/questions/78195772/why-is-sec-fetch-site-cross-site-when-redirecting-to-same-site, this is caused by the 301 Moved Permanently response to the second request and therefore inherits its Sec-Fetch-Site header.

The Sec-Fetch-Site header is "inherited" by the second and third request, because these are HTTP-redirect fetch requests. It would be different if the redirection was triggered by a Javascript statement such as

location.href = "https://stackoverflow.com/questions/78195772";

because this would lead to a scheme fetch request. In that case, the transition from request #1 to #2 would be cross-site, and the transition from request #2 to #3 would be same-site.

(See also SameSite=Strict cookies and cross-site requests with redirections)