something I'm struggling to understand about browser security is why you can send cross-origin POST requests with the user's cookies with a form, but the exact same fetch() call won't include the cookies

(I mean it's clear why we would NOT want to include the cookies, but it feels weird that it's allowed in one context but not in another)