XMLHttpRequest: withCredentials property
Baseline Widely available
This feature is well established and works across many devices and browser versions. It’s been available across browsers since July 2015.
Note: This feature is available in Web Workers, except for Service Workers.
The XMLHttpRequest.withCredentials
property is a boolean value that indicates whether or not cross-site Access-Control
requests should be made using credentials such as cookies, authentication headers or TLS client certificates. Setting withCredentials
has no effect on same-origin requests.
In addition, this flag is also used to indicate when cookies are to be ignored in the response. The default is false
. XMLHttpRequest
responses from a different domain cannot set cookie values for their own domain unless withCredentials
is set to true
before making the request. The third-party cookies obtained by setting withCredentials
to true
will still honor same-origin policy and hence can not be accessed by the requesting script through document.cookie or from response headers.
Note: This never affects same-origin requests.
Note: XMLHttpRequest
responses from a different domain cannot set cookie values for their own domain unless withCredentials
is set to true
before making the request, regardless of Access-Control-
header values.
Value
A boolean.
Examples
const xhr = new XMLHttpRequest();
xhr.open("GET", "http://example.com/", true);
xhr.withCredentials = true;
xhr.send(null);
Specifications
Specification |
---|
XMLHttpRequest Standard # the-withcredentials-attribute |
Browser compatibility
BCD tables only load in the browser