From e498db80e8439cf8146f571c04cf440ba80c1c5f Mon Sep 17 00:00:00 2001
From: Mark Feltner <mfeltner@widen.com>
Date: Fri, 28 Mar 2014 15:34:42 -0500
Subject: [PATCH] fix: xhr.withCredentials is initially `false`

According to the [XMLHttpRequest2 spec](http://www.w3.org/TR/XMLHttpRequest2/#the-withcredentials-attribute),
`xhr.withCredentials` should be initially `false`. http-browserify sets this
flag to `true` by default which disobeys the spec. This leads to browser errors when
making CORS requests to domains that have wildcards in their
Access-Control-Allow-Origin header.

http-browserify should attempt to follow the spec by default. In this case,
that means setting `withCredentails` to `false` initially, and then allowing
the user to override that in the passing in `params`.

Maybe it is possible to auto-detect when [user credentials](http://www.w3.org/TR/XMLHttpRequest2/#user-credentials)
are being sent and then set the `withCredentials` flag from there.

Somewhat related to #35 (the committer there expressed concern about
`withCredentials` being `true` when unintialzed as well).
---
 lib/request.js      | 11 +++--------
 test/request_url.js |  2 +-
 2 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/lib/request.js b/lib/request.js
index 7c0a467..e1631a6 100644
--- a/lib/request.js
+++ b/lib/request.js
@@ -8,20 +8,15 @@ var Request = module.exports = function (xhr, params) {
     self.writable = true;
     self.xhr = xhr;
     self.body = [];
-    
+
     self.uri = (params.scheme || 'http') + '://'
         + params.host
         + (params.port ? ':' + params.port : '')
         + (params.path || '/')
     ;
-    
-    if (typeof params.withCredentials === 'undefined') {
-        params.withCredentials = true;
-    }
 
-    try { xhr.withCredentials = params.withCredentials }
-    catch (e) {}
-    
+    xhr.withCredentials = params.withCredentials || false;
+
     xhr.open(
         params.method || 'GET',
         self.uri,
diff --git a/test/request_url.js b/test/request_url.js
index e622419..6a0b896 100644
--- a/test/request_url.js
+++ b/test/request_url.js
@@ -68,7 +68,7 @@ test('Test withCredentials param', function(t) {
   t.equal( request.xhr.withCredentials, true, 'xhr.withCredentials should be true');
 
   var request = http.request({ url: url }, noop);
-  t.equal( request.xhr.withCredentials, true, 'xhr.withCredentials should be true');
+  t.equal( request.xhr.withCredentials, false, 'xhr.withCredentials should be false');
 
   t.end();
 });