你不能。

你能做的唯一的饼干使用客户端读取JavaScript是属于HTML文档主机的那些，其中嵌入了< script> 。

The only cookies you can read with client side JavaScript are those belonging to the host of the HTML document in which the <script> is embedded.

通过设置 withCredentials 您可以在跨源请求中支持cookie，但它们由浏览器透明处理，JS无法直接访问它们（XHR规范远远超出明确禁止 getAllResponseHeaders 从阅读cookie相关标题） 。跨域请求访问cookie的唯一方法是服务器（您说您无权访问）将数据复制到正文或不同的响应头中。

By setting withCredentials you can support cookies in cross-origin requests, but they are handled transparently by the browser and JS has no direct access to them (the XHR spec goes to far as to explicitly ban getAllResponseHeaders from reading cookie related headers). The only way for a cross-origin request to get access to cookies is for the server (which you say you don't have access to) to copy the data into the body or a different response header).