make browser keep cross-site cookie

Preconditions:

1. request with credentials
   • if use fetch, should contain credentials: 'include'
   • if use XMR, should with withCredentials: true
2. if the request is cross-origin, such as requesting api.xxx.dev from site.xxx.dev, the response header should pass the browser's CORS check.

then, the response header should like this:

set-cookie: Authorization=xxx; Path=/; Domain=.xxx.dev; Max-Age=<time>; Expires=<time stamp>; Secure; HttpOnly; SameSite=None