This Article IsEdited at 2025-09-01Referenced as f62

Notes on Cross-Origin Resource Sharing (CORS)

Cookies on CORS

When a Fetch API or XMLHttpRequest API request uses CORS, browsers will ignore Set-Cookie headers present in the server’s response unless the request includes credentials. Visit Using the Fetch API - Including credentials and the XMLHttpRequest article to learn how to include credentials.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie

Note: When responding to a credentialed requests request, the server must specify an origin in the value of the Access-Control-Allow-Origin header, instead of specifying the * wildcard.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS

`crossorigin` attribute

By default (that is, when the attribute is not specified), CORS is not used at all. The user agent will not ask for permission for full access to the resource and in the case of a cross-origin request, certain limitations will be applied based on the type of element concerned:
Element Restrictions
img, audio, video When resource is placed in <canvas>, element is marked as tainted.
script Access to error logging via window.onerror will be limited.
link Request with no appropriate crossorigin header may be discarded.

https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Attributes/crossorigin

interactive-widget=resizes-content

Not about CORS.

<meta name="viewport" content="width=device-width, interactive-widget=resizes-content">

https://lyra.horse/blog/2025/08/you-dont-need-js/

Element	Restrictions
`img`, `audio`, `video`	When resource is placed in `<canvas>`, element is marked as tainted.
`script`	Access to error logging via `window.onerror` will be limited.
`link`	Request with no appropriate `crossorigin` header may be discarded.

Notes on Cross-Origin Resource Sharing (CORS)

Cookies on CORS

crossorigin attribute

interactive-widget=resizes-content

`crossorigin` attribute