Web/API/XMLHTTPRequest/withCredentials

From Get docs


The XMLHttpRequest.withCredentials property is a Boolean that indicates whether or not cross-site Access-Control requests should be made using credentials such as cookies, authorization headers or TLS client certificates. Setting withCredentials has no effect on same-site requests.

In addition, this flag is also used to indicate when cookies are to be ignored in the response. The default is false. XMLHttpRequest from a different domain cannot set cookie values for their own domain unless withCredentials is set to true before making the request. The third-party cookies obtained by setting withCredentials to true will still honor same-origin policy and hence can not be accessed by the requesting script through document.cookie or from response headers.

Note: This never affects same-site requests.


'Note: ' XMLHttpRequest responses from a different domain cannot set cookie values for their own domain unless withCredentials is set to true before making the request, regardless of Access-Control- header values. 


Example

var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://example.com/', true);
xhr.withCredentials = true;
xhr.send(null);

Specifications

Specification Status Comment
XMLHttpRequest Living Standard WHATWG living standard

Browser compatibility

Update compatibility data on GitHub

Desktop Mobile
Chrome Edge Firefox Internet Explorer Opera Safari Android webview Chrome for Android Firefox for Android Opera for Android Safari on iOS Samsung Internet
withCredentials Chrome

Full support 3

Edge

Full support 12

Firefox Full support 3.5

Notes'

Full support 3.5

Notes'

Notes' Starting with Firefox 11, it's no longer supported to use the withCredentials attribute when performing synchronous requests. Attempting to do so throws an NS_ERROR_DOM_INVALID_ACCESS_ERR exception.

IE Full support 10

Notes'

Full support 10

Notes'

Notes' Internet Explorer versions 8 and 9 supported cross-domain requests (CORS) using XDomainRequest.

Opera

Full support 12

Safari

Full support 4

WebView Android

Full support ≤37

Chrome Android

Full support 18

Firefox Android Full support 4

Notes'

Full support 4

Notes'

Notes' Starting with Firefox 11, it's no longer supported to use the withCredentials attribute when performing synchronous requests. Attempting to do so throws an NS_ERROR_DOM_INVALID_ACCESS_ERR exception.

Opera Android

Full support 12

Safari iOS

Full support 3.2

Samsung Internet Android

Full support 1.0

Legend

Full support  
Full support
See implementation notes.'
See implementation notes.


Retrieved from "https://getdocs.org/index.php?title=Web/API/XMLHTTPRequest/withCredentials&oldid=24427"
Powered by MediaWiki