CORS is supported in the following browsers:

Chrome 3+
Firefox 3.5+
Opera 12+
Safari 4+
Internet Explorer 8+

这些浏览器不会驳回我的cross site request 如果我有credential是的话。
　
为了正常工作，serve也必须设置一个key值为true才可以。
In order for this to work, the server must also enable credentials by setting the Access-Control-Allow-Credentials response header to “true”. See the server section for details.

Access-Control-Allow-Credentials: true

这个.withCredentials 属性会被夹带入从远程服务器发送回来的cookies里面，这些cookies的domain不是我们自己的网站，所以js代码无法set里面的值。
这就解释了为什么浏览器会允许这样的跨域操作了，因为此时server使用了cookies告诉了浏览器，可以跨域操作。

The .withCredentials property will include any cookies from the remote domain in the request, and it will also set any cookies from the remote domain. Note that these cookies still honor same-origin policies, so your JavaScript code can’t access the cookies from document.cookie or the response headers. They can only be controlled by the remote domain.

// Create the XHR object.
function createCORSRequest(method, url) {
  var xhr = new XMLHttpRequest();
  if ("withCredentials" in xhr) {
    // XHR for Chrome/Firefox/Opera/Safari.
    // 在非IE浏览器里，set这个为true，告诉浏览器我们要发送CORS请求
    xhr.open(method, url, true);      
  } else if (typeof XDomainRequest != "undefined") {
    // XDomainRequest for IE.
    xhr = new XDomainRequest();
    xhr.open(method, url);
  } else {
    // CORS not supported.
    xhr = null;
  }
  return xhr;
}

// Helper method to parse the title tag from the response.
function getTitle(text) {
  return text.match('<title>(.*)?</title>')[1];
}

// Make the actual CORS request.
function makeCorsRequest() {
  // This is a sample server that supports CORS.
  var url = 'http://html5rocks-cors.s3-website-us-east-1.amazonaws.com/index.html';

  var xhr = createCORSRequest('GET', url);
  if (!xhr) {
    alert('CORS not supported');
    return;
  }

  // Response handlers.
  xhr.onload = function() {
    var text = xhr.responseText;
    var title = getTitle(text);
    alert('Response from CORS request to ' + url + ': ' + title);
  };

  xhr.onerror = function() {
    alert('Woops, there was an error making the request.');
  };

  xhr.send();
}

A word about security

While CORS lays the groundwork for making cross-domain requests, the CORS headers are not a substitute for sound security practices. You shouldn't rely on the CORS header for securing resources on your site. Use the CORS headers to give the browser directions on cross-domain access, but use some other security mechanism, such as cookies or OAuth2, if you need additional security restrictions on your content.

Reference:
https://www.html5rocks.com/en/tutorials/cors/