It appears to be currently impossible to set the acceptThirdPartyCookies option for android.webkit.CookieManager or a similar security measure (there is no method setAcceptThirdPartyCookies in ICordovaCookieManager, it's default implementation or the Crosswalk implementation).
Yet in our app we can clearly observe (and suffer the consequences) of some security mechanism stripping Cookie and Set-Cookie headers from requests leaving the currently-visited domain, regardless of access and allow-origin rules in the config.xml.
in Version 4.* the CordovaWebView extended android.webkit.WebView and so a fix was merged in issue
CB-8026 apparently, but it seems that there has been a regression.
- enable Cookies (webView.getCookieManager().setAcceptCookies(true);)
- visit content on hostb in the Web View
- set a cookie (document.cookie = "test=123")
- make a request to hostb (<img src="http://hostb/test.png" />)
- there will be a Cookie header set on the request.
- visit content on hosta in the same view
- make same request to hostb (<img src="http://hostb/test.png" />)
- there will not be a Cookie header set on the request.
- webView.getCookieManager().getCookie("http://hostb") will still show the Cookie