I have a server-side API on the domain api.example.com

User is visiting www.website.com where a script makes an XmlHttpRequest to api.example.com and gets a response with a cookie.

It appears the API's response cookie is not honored by the HTTP agent.

I'm aware of the non-cross-domain-leaking-cookie policy, but I thought the domain here would be api.example.com. Seems I guessed wrong.

Is there some other way that my API on api.example.com could remember user data from one site to another? If not, how could services like Criteo and other retargeting sites work, from this point of view?

Make sure your API set:

1. Access-Control-Allow-Credentials header to true in possible preflight response and regular response,
2. Access-Control-Allow-Origin header to value of the origin from the actual request,
3. and client sets XMLHttpRequest.withCredentials to true.