No possibility to set xhr.withCredentials to false

[RomanHotsiy]

CORS requests to servers with wildcarded Access-Control-Allow-Origin fail. For example the following code:

SwaggerParser.bundle("https://petstore.swagger.io/v2/swagger.json")

fails with the following error:

XMLHttpRequest cannot load https://petstore.swagger.io/v2/swagger.json. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'https://127.0.0.1:9000' is therefore not allowed access.

The same time the following code loads schema:

var xhr= new XMLHttpRequest();
xhr.open("GET", "https://petstore.swagger.io/v2/swagger.json", true);
xhr.send();
// xhr.response contains schema after request finishes

I've some investigation and have found out that the problem is in the browserify http module. By default it sets withCredentials option of XMLHttpRequest to true.

It would be great to have some $RefParser option to control this behavior.

[JamesMessinger]

Thanks for the PR. Sorry for taking so long to get to it, but I'm reviewing/merging it right now.

I think I'm going to make withCredentials false by default. Most people will be either downloading from servers that don't have CORS enabled at all, or that have Access-Control-Allow-Origin set to a wildcard. So it seems good to make the default behavior work for those people. The only people who will need to explicitly set the http.withCredentials option to true are those who are specifically downloading files from a CORS-enabled server that requires authentication (which seems like an edge case).

What do you think?

[RomanHotsiy]

It makes sense. Totally agree