Cometd not working in summer 18
I don't know if this is the right answer but I'm gonna drop the possibility here...
Locker Service defines a few trusted origin domains. Take a look at this commit: https://github.com/forcedotcom/aura/commit/495eaccdc3292a6cf2dcd2c2347c0329c06339e0#diff-7029ab74270f2b05e936f8a47738b1a7
In the code base as of Spring 18's release date, we see (https://github.com/forcedotcom/aura/blob/259fe052729103f069e453978a18ae24f747f6dc/aura-resources/src/main/resources/aura/resources/lockerservice/aura-locker.js):
// for relative urls enable sending credentials
if (scriptUrl.indexOf('/') === 0) {
xhr.withCredentials = true;
}
In other words, it used to be that any XHR made to a relative URL would be made with credentials. In a more recent commit (prior to the current one), we see:
const TRUSTED_CORS_DOMAINS = /(\.lightning\.(.*\.)?force|\.salesforce)\.com$/;
/* many lines skipped */
if (normalized.hostname.match(TRUSTED_DOMAINS)) {
xhr.withCredentials = true;
}
In the current code base we see:
const TRUSTED_DOMAINS = /\.(force|salesforce)\.com$/;
/* many lines skipped */
if (normalized.hostname.match(TRUSTED_DOMAINS)) {
xhr.withCredentials = true;
}
But... if you're running Lightning inside Visualforce via Lightning Out, your Lightning is in fact being served from the Visualforce domain. And if you have enabled the update "Remove Instance Names from URLs for Visualforce, Community Builder, Site.com Studio, and Content Files" then your VF domain name changes from mydomain--c.naXX.visual.force.com
to mydomain--c.visualforce.com
which does NOT match the regexes above. So I wonder if the Lightning Locker team neglected to consider this possibility?