How to disable 'withcredentials' in HTTP header with node.js and Request package?

Using node.js and the Request package from the browser (via browserify), I am using CORS to do a HTTP GET request on a separate domain.

On the server, when I set 'Access-Control-Allow-Origin' to the wildcard '*', I get the following error on the client:

  • Long delay [~1s] between browser attempting to connect and Socket.Accept()
  • Why angular still encode request as JSON? ( $http, $httpParamSerializerJQLike )
  • Simple XHR long polling without jQuery
  • HTTP or Websocket for a low-latency web game?
  • NodeJS - file upload with progress bar using Core NodeJS and the original Node solution
  • Why do browsers inefficiently make 2 requests here?
  • XMLHttpRequest cannot load …. A wildcard ‘*’ cannot be used in the
    ‘Access-Control-Allow-Origin’ header when the credentials flag is
    true. Origin ‘…’ is therefore not allowed access.

    The HTTP request header looks like this:

    User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36

    So clearly the problem is Access-Control-Request-Headers:withcredentials in the header, right?

    To be able to remove this, I need to set the ‘withcredentials’ property of the ‘XMLHttpRequest’ object to ‘false’. However, I cannot figure out where node.js or the Request package are creating the ‘XMLHttpRequest’ object, and how I can even access this.


  • What is the effect of starting a url with “//”, and leaving out “http:”
  • Angular 2 - Http-Testing - Error: “Cannot read property 'getCookie' of null”
  • Get the HTTP Basic Auth username from javascript?
  • Fastest way for a HTML page to redirect to a script
  • Make ajax POST without requiring a response?
  • getting status -1 instead 401 Angularjs
  • One Solution collect form web for “How to disable 'withcredentials' in HTTP header with node.js and Request package?”

    After some investigation, I discovered that the withCredentials setting can be passed in via the options parameter object:

    var req = http.request({
        withCredentials: false
    }, function(res) {

    If undefined, the default setting is true.

    Reference from the http-browserify/lib/request.js source:

    if (typeof params.withCredentials === 'undefined') {
        params.withCredentials = true;
    try { xhr.withCredentials = params.withCredentials }
    catch (e) {}