Consider default 'credentials' to 'same-origin'

[oatkiller]

eventsource/src/eventsource.ts

Line 134 in 6e35837

credentials: this.withCredentials ? 'include' : 'omit',

A call to native EventSource with no init dict causes the browser to pass along HTTP-only secure cookies to requests on the same origin. That is the behavior I want. With your implementation 'omit' is the default, which blocks this. I can pass 'true' to withCredentials, but then the value passed to fetch for credentials is include, which is overly permissive.

I apologize if this suggestion is off-base, or against the spec. Thanks for your consideration.

Best,
Robert

[lukas-reining]

Hey @oatkiller, thanks for pointing this out, this was an oversight.

but then the value passed to fetch for credentials is include, which is overly permissive.

It is! I also had another look into the spec and changing the value for false to same-site would actually be spec conform.

I apologize if this suggestion is off-base, or against the spec. Thanks for your consideration.

I am grateful you opened this :)

[lukas-reining]

Hey @oatkiller i fixed this in #27.
This has been released as breaking change to be sure that the changed cookie behavior is made clear to the users.
https://github.com/lukas-reining/eventsource/releases/tag/v2.0.0
Thank you again for the feedback! Please let me know if there is anything else to consider from your side with this change or anything else.