It is a very strange API inconsistency if XHR defaults to credentials=false, but EventSource to credentials=true.
Not if we do not expose all of the features XMLHttpRequest has. Besides, .withCredentials was a bad idea. That is where the inconsistency with other cross-origin requests started. (In retrospect I very much wish I fought harder to keep the consistency.)
-- Anne van Kesteren http://annevankesteren.nl/
