Notes on Cross-Origin Resource Sharing (CORS)
Cookies on CORS
When a Fetch API or XMLHttpRequest API request uses CORS, browsers will ignore Set-Cookie headers present in the server’s response unless the request includes credentials. Visit Using the Fetch API - Including credentials and the XMLHttpRequest article to learn how to include credentials.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie
Note: When responding to a credentialed requests request, the server must specify an origin in the value of the Access-Control-Allow-Origin header, instead of specifying the * wildcard.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS
crossorigin attribute
By default (that is, when the attribute is not specified), CORS is not used at all. The user agent will not ask for permission for full access to the resource and in the case of a cross-origin request, certain limitations will be applied based on the type of element concerned:
Element Restrictions img,audio,videoWhen resource is placed in <canvas>, element is marked as tainted.scriptAccess to error logging via window.onerrorwill be limited.linkRequest with no appropriate crossoriginheader may be discarded.
https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Attributes/crossorigin
interactive-widget=resizes-content
Not about CORS.
<meta name="viewport" content="width=device-width, interactive-widget=resizes-content">