only forward cookies for internal fetches -

[Rich-Harris]

closes #6604.

I'm not sure if we also need to handle the case where www.domain.com is requesting data from domain.com, or where the external origin sets a third party cookie?

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

• It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
• This message body should clearly illustrate what problems it solves.
• Ideally, include a test that fails without this PR but passes with it.

Tests

• Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

• If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. All changesets should be patch until SvelteKit 1.0

[dummdidumm]

Re domain vs www.domain - I vaguely remember that these are treated differently, so this should be correct.
Re third party cookies: How can these be detected? From a quick reading it sounds like they should be forwarded since they are not related to your domain.

Approving to get you unblocked.

[oetiker]

thank you!