The credentials read-only property of the Request interface indicates whether the user agent should send cookies from the other domain in the case of cross-origin requests. This is similar to XHR’s withCredentials flag, but with three available values (instead of two):

  • omit: Never send cookies.
  • same-origin: Send user credentials (cookies, basic http auth, etc..) if the URL is on the same origin as the calling script. This is the default value.
  • include: Always send user credentials (cookies, basic http auth, etc..), even for cross-origin calls.

Syntax

var myCred = request.credentials;

Value

A RequestCredentials value representing the credentials to use for this transaction.

Example

In the following snippet, we create a new request using the Request.Request() constructor (for an image file in the same directory as the script), then save the request credentials in a variable:

var myRequest = new Request('flowers.jpg');
var myCred = myRequest.credentials; // returns "same-origin" by default

Specifications

Specification Status Comment
Fetch
The definition of 'credentials' in that specification.
Living Standard Initial definition

Browser compatibility

FeatureChromeEdgeFirefoxInternet ExplorerOperaSafari
Basic support

42

411

Yes

39

342

No

29

283

No
Default value same-origin ? ?61 No ? No
FeatureAndroid webviewChrome for AndroidEdge mobileFirefox for AndroidOpera AndroidiOS SafariSamsung Internet
Basic support No42 — 46 Yes No No No4.0
Default value same-origin ? ? ? No No No ?

1. From version 41: this feature is behind the Experimental Web Platform Features preference. To change preferences in Chrome, visit chrome://flags.

2. From version 34: this feature is behind the dom.fetch.enabled preference. To change preferences in Firefox, visit about:config.

3. From version 28: this feature is behind the Experimental Web Platform Features preference.

See also

Document Tags and Contributors

Last updated by: rixx,