fix: xhr.withCredentials is initially `false`

[feltnerm]

According to the XMLHttpRequest2 spec, xhr.withCredentials should be initially false. http-browserify sets this flag to true by default which disobeys the spec. This leads to browser errors when making CORS requests to domains that have wildcards in their Access-Control-Allow-Origin header.

http-browserify should attempt to follow the spec by default. In this case, that means setting withCredentails to false initially, and then allowing the user to override that in the passing in params.

Maybe it is possible to auto-detect when user credentials are being sent and then set the withCredentials flag from there.

Somewhat related to #35 (the committer there expressed concern about withCredentials being true when unintialzed as well).

[gsf]

I just ran into this as well. I was glad the withCredentials option was available, but agree it should default to false.

[feltnerm]

I just ran into this as well. I was glad the withCredentials option was available, but agree it should default to false.

Yeah, it was annoying that I had a dependency that was using the http module but was not specifying the withCredentials option resulting in CORS errors. If withCredentials followed the spec, I would not have to modify/fork dependencies to work with http in the browser.

[agrueneberg]

I ran into this as well. Please merge. xhr.withCredentials definitely shouldn't be true by default.

[imhoffd]

This is not good. Please merge.

[feltnerm]

similar to #90