HTTP access control - MDC
Line 8 shows the flag on XMLHttpRequest that has to be set in order to make the invocation with Cookies, namely the withCredentials boolean value. By default, the invocation is made without Cookies.
Cross-Origin Resource Sharing (CORS) - HTTP | MDN
XHRの話だけど、この withCredentials つけないとクロスドメインでcookie出ないっていうの関係ないかなー