No default withCredentials. Updated version of #47

[gsf]

Any reason to alter the default for xhr.withCredentials?

[gobengo]

I think it is a bad idea to change the default on such an important flag without a major version bump, or at least minor.

Though I would say if this was a fresh project that withCredentials should be false by default.

[gsf]

As discussed at naugtur/xhr#33 (click "Show outdated diff"), some believe the withCredentials default in the spec was a mistake, as was the Access-Control-Allow-Origin wildcard. I haven't found many resources to back this up, however. The commented text at http://enable-cors.org/server_nginx.html suggests this, but others (including http://fetch.spec.whatwg.org/#basic-safe-cors-protocol-setup) seem to favor the wildcard and the default of false.

[bmpvieira]

I would like to see this merged since withCredentials default to true prevents accessing resources on many servers and the solution might not be obvious for users. Especially if your like me using http-browserify through request browserified.

Resources examples:
http://data-gov.tw.rpi.edu/raw/1576/data-1576.nt.gz
http://ftp.ebi.ac.uk/pub/databases/ensembl/encode/integration_data_jan2011/hub.txt

[eush77]

Please merge. The current default behavior is totally unexpected.

[zwhitchcox]

Holy shit, please merge. That took me forever to figure out.

[recursify]

Any update on if/when this will get merged?