httpRequest里的withCredentials

问：为什么只有在http请求里设置了withCredentials = true才能收到http-only cookie。

查看mdn文档得知：

The **XMLHttpRequest.withCredentials** property is a Boolean that indicates whether or not cross-site Access-Control requests should be made using credentials such as cookies, authorization headers or TLS client certificates. Setting withCredentials has no effect on same-site requests.

XMLHttpRequest.withCredentials是一个布尔值，它定义了跨站请求是否使用如cookies、authorization headers、或TLS证书这样的身份验证信息。对本站请求来说，withCredentials无效。

In addition, this flag is also used to indicate when cookies are to be ignored in the response. The default is false. XMLHttpRequest from a different domain cannot set cookie values for their own domain unless withCredentials is set to true before making the request. The third-party cookies obtained by setting withCredentials to true will still honor same-origin policy and hence can not be accessed by the requesting script through document.cookie or from response headers.

withCredentials同样用来定义是否忽略response里的cookies，默认false。如果不将withCredentials值设为true，则其他域名下的XMLHttpResquest请求将无法为其自身域名设置cookie值。