Add option for setting xhr.withCredentials (#13)

* Add option for setting xhr.withCredentials

- Support for withCredentials already existed, there was just no way to set it
- Test cases might fail in Chrome 80+ due to httpbin cookie settings, see code comments

* Fix type-o in test comments

Author: neilsot

README.md

@@ -69,9 +69,9 @@ the request is done, or rejects if it fails.
 * **options**:
     * priority: Defines the order in which requests get sent. One of the following:
         * RequestQueue.LOW
-        * RequestQueue.MEDIUM (default) 
+        * RequestQueue.MEDIUM (default)
         * RequestQueue.HIGH
-        * RequestQueue.HIGHEST 
+        * RequestQueue.HIGHEST
 
         HIGHEST is special: It actually aborts HIGH, MEDIUM or LOW requests to be tried again,
         if there are too many requests in flight)
@@ -86,6 +86,7 @@ the request is done, or rejects if it fails.
         * image: Returns an Image
     * headers: Object of additional headers to set
     * auth: contents of the 'Authorization' header if supplied
+    * withCredentials: Enable or disable sending credentials with cross-site XHR requests (default false)
 
 #### RequestQueue.get(url, {options})
 #### RequestQueue.post(url, {options})

src/index.ts

@@ -14,6 +14,7 @@ export interface Options {
   body?: string;
   maxRetries?: number;
   auth?: string;
+  withCredentials?: boolean;
   headers?: { [key: string]: any };
   onProgress?: (evt: ProgressEvent) => void;
 }
@@ -220,6 +221,7 @@ export class Request {
   maxRetries: number | null
   responseType: string | null
   auth: string | null
+  withCredentials: boolean
   body: string | FormData | null
   headers: { [key: string]: any }
 
@@ -251,6 +253,7 @@ export class Request {
     this.url = url
     this.method = method
     this.auth = options.auth || null
+    this.withCredentials = options.withCredentials || false
     this.priority = options.priority || RequestPriority.MEDIUM
     this.responseType = options.responseType || null
     this.body = options.body || null
@@ -269,7 +272,7 @@ export class Request {
    * @returns {Promise<any>}
    */
   send(): Promise<any> {
-    const xhr = this.xhr = openXHR(this.method, this.url, false)
+    const xhr = this.xhr = openXHR(this.method, this.url, this.withCredentials)
 
     if (this.responseType) {
       if (this.responseType === 'arraybuffer' ||

src/tests.ts

@@ -38,6 +38,53 @@ test('authorization header', (t : any) => {
   })
 })
 
+/**
+ * Tests request with cross-site credentials enabled,
+ * cookies should be sent to external domain via request headers
+ *
+ * Note: If this test fails in Chrome >= 80, it may be due to httpbin
+ * not setting the `SameSite=None` or `Secure` flags when creating cookies
+ *
+ * See https://www.chromestatus.com/feature/5088147346030592 and
+ * chrome://flags/#same-site-by-default-cookies
+ */
+test('xhr with credentials', (t : any) => {
+  t.plan(2)
+  const requests = new RequestQueue()
+  const cookie = 'token=xyz';
+  requests.get(`${TEST_URL}/cookies/set?${cookie}`).then(() => {
+    requests.get(`${TEST_URL}/headers`, {
+      withCredentials: true,
+      responseType: 'json'
+    }).then((response) => {
+      t.assert('Cookie' in response.headers)
+      t.equal(response.headers.Cookie, cookie);
+    });
+  }).catch(() => {
+    t.fail('Request failed')
+  })
+})
+
+/**
+ * Tests request with cross-site credentials disabled,
+ * cookies should not be passed to external origin via request headers
+ */
+test('xhr without credentials', (t : any) => {
+  t.plan(1)
+  const requests = new RequestQueue()
+  const cookie = 'token=xyz';
+  requests.get(`${TEST_URL}/cookies/set?${cookie}`).then(() => {
+    requests.get(`${TEST_URL}/headers`, {
+      withCredentials: false,
+      responseType: 'json'
+    }).then((response) => {
+      t.assert(!('Cookie' in response.headers));
+    });
+  }).catch(() => {
+    t.fail('Request failed')
+  })
+})
+
 test('arraybuffer responseType', (t : any) => {
   t.plan(2)
   const requests = new RequestQueue()