The XMLHttpRequest.withCredentials property is a Boolean
that indicates whether or not cross-site Access-Control
requests should be made using credentials such as cookies, authorization headers or TLS client certificates. Setting withCredentials
has no effect on same-site requests.
In addition, this flag is also used to indicate when cookies are to be ignored in the response. The default is false
. XMLHttpRequest from a different domain cannot set cookie values for their own domain unless withCredentials
is set to true
before making the request. The third-party cookies obtained by setting withCredentials
to true will still honor same-origin policy and hence can not be accessed by the requesting script through document.cookie or from response headers.
Note: This never affects same-site requests.
Note: XmlHttpRequest
responses from a different domain cannot set cookie values for their own domain unless withCredentials
is set to true
before making the request, regardless of Access-Control-
header values.
Example
var xhr = new XMLHttpRequest(); xhr.open('GET', 'https://example.com/', true); xhr.withCredentials = true; xhr.send(null);
Specifications
Specification | Status | Comment |
---|---|---|
XMLHttpRequest | Living Standard | WHATWG living standard |
Browser compatibility
Feature | Chrome | Firefox (Gecko) | Internet Explorer | Opera | Safari (WebKit) |
---|---|---|---|---|---|
Basic support | 3 | 3.5 (1.9.1)[2] | 10[1] | 12 | 4 |
Feature | Android | Chrome for Android | Firefox Mobile (Gecko) | IE Mobile | Opera Mobile | Safari Mobile |
---|---|---|---|---|---|---|
Basic support | ? | ? | (Yes)[2] | ? | ? | ? |
[1] Internet Explorer versions 8 and 9 supported cross domain requests (CORS) using XDomainRequest.
[2] Starting with Gecko 11.0 (Firefox 11.0 / Thunderbird 11.0 / SeaMonkey 2.8), Gecko no longer lets you use the withCredentials
attribute when performing synchronous requests. Attempting to do so throws an NS_ERROR_DOM_INVALID_ACCESS_ERR
exception.