When performing a QNetworkRequest on the WASM platform, cookies are only transferred in same-origin contexts. The reason for this is that QNetworkReplyWasmImplPrivate does not set m_xhr.withCredentials = true on the XMLHttpRequest that's created in the backend.
For web frontends that communicate with backends at a different origin, this is a major showstopper.
Leaving the default at withCredentials = false is fine, but it should be possible to set this differently. API wise, I guess it would be best to add an QNetworkRequest::Attribute that does this.