No, the cookies won't be sent. That would defeat the whole purpose. | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		jefftk on Feb 23, 2021 \| parent \| context \| favorite \| on: Total Cookie Protection No, the cookies won't be sent. That would defeat the whole purpose.

CobrastanJorji on Feb 23, 2021 [–]

So this effectively eliminates the "XMLHttpRequest.withCredentials" setting? Interesting! Thanks for clarifying.

jefftk on Feb 23, 2021 | [–]

No, is still has an effect. CORS operates on a per-origin basis, while privacy mitigations operate on a per-site basis. You might want withCredentials if www.site.example wanted to share cookies with forums.site.example.

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact