Currently if a resource sharing check fails cookies will still be set for
a credentialed request similarly to how they would be with <form> or
<img>. However, it seems that HTML defines for <img crossorigin> that the
UA must act as if there was no response at all. That does not work of
course for the normal <img> case where the server could still opt in to
sharing, but would work for XMLHttpRequest.
I think I will try to adopt that stricter behavior. Please speak up if you
disagree.
--
Anne van Kesteren
http://annevankesteren.nl/