Document withCredentials and its non standard default

[jamestalmage]

withCredentials defaults to false on XMLHttpRequest, but the opposite was chosen in this library. This can cause difficult to understand failures depending on the CORS headers returned by the server (it's an issue when calling the GitHub v3 API for example).

The alternative would be to default to false to stay consistent with XMLHttpRequest, but that is likely a breaking change for some downstream apps, and I am going to assume the current strategy was chosen for a reason.

[elyobo]

Yeah, this was a surprise for me. It would be interesting if @substack could add to this PR to give the background for the withCredentials default.