The XMLHttpRequest.withCredentials
property is a Boolean
that indicates whether or not cross-site Access-Control
requests should be made using credentials such as cookies, authorization headers or TLS client certificates. Setting withCredentials
has no effect on same-site requests.
In addition, this flag is also used to indicate when cookies are to be ignored in the response. The default is false
. XMLHttpRequest
from a different domain cannot set cookie values for their own domain unless withCredentials
is set to true
before making the request. The third-party cookies obtained by setting withCredentials
to true will still honor same-origin policy and hence can not be accessed by the requesting script through document.cookie or from response headers.
Note: This never affects same-site requests.
Note: XMLHttpRequest
responses from a different domain cannot set cookie values for their own domain unless withCredentials
is set to true
before making the request, regardless of Access-Control-
header values.
Example
var xhr = new XMLHttpRequest(); xhr.open('GET', 'http://example.com/', true); xhr.withCredentials = true; xhr.send(null);
Specifications
Specification | Status | Comment |
---|---|---|
XMLHttpRequest | Living Standard | WHATWG living standard |
Browser compatibility
Desktop | Mobile | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
withCredentials | Chrome Full support 3 | Edge Full support 12 | Firefox
Full support
3.5
| IE
Full support
10
| Opera Full support 12 | Safari Full support 4 | WebView Android Full support ≤37 | Chrome Android Full support 18 | Firefox Android
Full support
4
| Opera Android Full support 12 | Safari iOS Full support 3.2 | Samsung Internet Android Full support 1.0 |
Legend
- Full support
- Full support
- See implementation notes.
- See implementation notes.