This sounds easy but... it isn't!
Use this fetch options:
fetch('superUnsecureCorsUrl',{
credentials: 'include'
})
const cors = require('cors');
const app = express();
//Allow CORS requests
var corsOptions = {
origin: 'trustedClientUrl',
credentials: true
};
app.use(cors(corsOptions))
Note that origin property can not be '*'.