Axios ignoring set-cookie in cross-origin setup on Chrome & Brave

The bug Axios ‘with-credentials’ does not seem to be abiding and setting the proper cookies under Chrome and Brave in NON-incognito mode. Sending a simple username & password from ‘portal.sampledomain.com:5000’ -> ‘api.sampledomain.com:30000’ ends up with an OPTIONS request + a POST that successfully complete & return a good set-cookie; however, upon inspecting the DOM, there’s no cookies actually set.

Note: this works PROPERLY under incognito mode 100% of the time in both browsers, but not in regular brave or chrome. It also works 100% of the time in Safari/Firefox.

To Reproduce There are 2 services required to reproduce; the React app (portal) sending the request and an ExpressJS4 server side running node v10. The NodeJS server simply defines a module export and uses it via app.use() as the first used module the chain. The cookies are sent by node using a simple res.cookie() call.

React code

const api = axios.create({
  baseURL: 'http://api.sampledomain.com',
  timeout: 6000,
  withCredentials: true,
  headers: {
    "Content-Type": "application/json"
  }
});

  const requestOptions = {
        method: 'post',
        url: "sessions",
        data: { username: "abc", password: "123" }
    };

   return api(requestOptions)

Sample POST REQUEST headers

Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Content-Length: 181
Content-Type: application/json
Host: api.sera4.com
Origin: http://portal.domain.com:5000
Referer: http://portal.sampledomain.com:5000/login
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36

And the corresponding POST RESPONSE

Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Authorization,Content-Type,membership-id,account-id,X-Requested-With,Accept,Origin
Access-Control-Allow-Methods: GET, POST, OPTIONS, DELETE, PUT, PATCH
Access-Control-Allow-Origin: http://portal.sampledomain.com:5000
Access-Control-Expose-Headers: x-pagination, Content-Length
Connection: keep-alive
Content-Length: 2290
Content-Type: application/json; charset=utf-8
Date: Tue, 23 Jul 2019 04:29:42 GMT
ETag: W/"8f2-QRLNcbsQpfPJIIbfWyABS7Obcd8"
Referrer-Policy: origin-when-cross-origin
Set-Cookie: tokenExpiry=1566448182153; Max-Age=2592000; Domain=.sampledomain.com; Path=/; Expires=Thu, 22 Aug 2019 04:29:42 GMT
X-Powered-By: Express

ExpressJS code

module.exports = (req, res, next) => {
  var origin = req.headers.origin;

  res.setHeader('Referrer-Policy', 'origin-when-cross-origin');

  res.setHeader('Access-Control-Allow-Origin', origin);

  res.setHeader('Access-Control-Allow-Credentials', true);
  res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, DELETE, PUT, PATCH');
  res.setHeader('Access-Control-Allow-Headers', ['Authorization', 'Content-Type',
    'membership-id', 'account-id','X-Requested-With', 'Accept', 'Origin'].join(','));
  res.setHeader('Access-Control-Expose-Headers', 'x-pagination, Content-Length');

  if (req.method.toUpperCase() === "OPTIONS") {
    return res.status(200).send();
  }
  
  next();
}

It should be noted that I have an /etc/hosts entry pointing api and portal.sampledomain.com -> 127.0.0.1

Expected behavior As in Firefox and Safari, I would expect the cookies to be set. After adding 1,2,3 or even more cookies with various options(secure,non-secure, httpOnly true/false), axios continues to ignore the set-cookie on the two browser platforms.

Environment:

• Axios Version [e.g. 0.19.0, 0.18.1, 0.18.0]
• OS: [e.g. OSX 10.14.5 & docker 18.09.2]
• Browser [Chrome, Brave]
• Browser Version [Version 0.66.101 Chromium: 75.0.3770.142 (Official Build) (64-bit)]
• Additional Library Versions [e.g. React 16.7]

Additional context/Screenshots None