XMLHttpRequest.withCredentials "always" set to true

[KeremTubluk]

There seems to be a problem with the xhr polling as it sets withCredentials to true if withCredentials exits in xhr (This always happens?).

As the engine.io-server does not depend on the extra information granted by withCredentials (Cookies e.g.), should not this be set to false by default? And/or should there be a configuration for it?

Line 226-229 in polling-xhr.js
// ie6 check
if ('withCredentials' in xhr) {
  xhr.withCredentials = true;
}

[mohitncode]

Hi Kerem,

From the MDN XMLHttpRequest.withCredentials page:

The XMLHttpRequest.withCredentials property is a Boolean that indicates whether or not cross-site Access-Control requests should be made using credentials such as cookies, authorization headers or TLS client certificates. Setting withCredentials has no effect on same-site requests.

Since this flag is necessary for cross-domain XHR requests and doesn't make a difference for same domain requests, I guess it is left as true by default.

[darrachequesne]

Closed due to inactivity, please reopen if needed.

[ipeychev]

We have the same problem and we would like to reopen this issue.

The user should be able to configurewithCredentials. We want to be able to set it to false to handle sub-domains of public suffixes domains. Moreover, false is the default value.

Our suggestion is to make withCredentials configurable.

[ValorLin]

It should defaults to be false, and it should be configurable.

[ghost]

We are having same problem and want withCredentials to be false. Is there any workaround available for this?

[DuBistKomisch]

I don't have permission to reopen this issue but I've submitted a PR adding an option for this: #614