For fetches that are sent with cookies, unpartitioned cookies are included, as if the resource was loaded as a same-origin request, e.g. regardless of the SameSite value (which is used when a resource loaded as a third-party, not first-party).
This no longer matches the CG consensus or the implementation; we only allow SameSite=None cookies. (#587 might change it to also allow Lax, but either way, the spec is incorrect)
The last paragraph of https://fedidcg.github.io/FedCM/#browser-api says:
This no longer matches the CG consensus or the implementation; we only allow SameSite=None cookies. (#587 might change it to also allow Lax, but either way, the spec is incorrect)