XHRSettings.withCredentials is a new boolean property that controls the withCredentials setting of the XHR Request made by the Loader. It indicates whether or not cross-site Access-Control requests should be made using credentials such as cookies, authorization headers or TLS client certificates. You can set this on a per-file basis, or global in the Game Config.

photonstorm · photonstorm · commit bf0feee498ca · 2020-01-22T16:29:47.000Z
diff --git a/src/loader/XHRSettings.js b/src/loader/XHRSettings.js
@@ -15,16 +15,18 @@
  * @param {string} [user=''] - Optional username for the XHR request.
  * @param {string} [password=''] - Optional password for the XHR request.
  * @param {integer} [timeout=0] - Optional XHR timeout value.
+ * @param {boolean} [withCredentials=false] - Optional XHR withCredentials value.
  *
  * @return {Phaser.Types.Loader.XHRSettingsObject} The XHRSettings object as used by the Loader.
  */
-var XHRSettings = function (responseType, async, user, password, timeout)
+var XHRSettings = function (responseType, async, user, password, timeout, withCredentials)
 {
     if (responseType === undefined) { responseType = ''; }
     if (async === undefined) { async = true; }
     if (user === undefined) { user = ''; }
     if (password === undefined) { password = ''; }
     if (timeout === undefined) { timeout = 0; }
+    if (withCredentials === undefined) { withCredentials = false; }
 
     // Before sending a request, set the xhr.responseType to "text",
     // "arraybuffer", "blob", or "document", depending on your data needs.
@@ -50,7 +52,10 @@ var XHRSettings = function (responseType, async, user, password, timeout)
         requestedWith: false,
 
         //  overrideMimeType
-        overrideMimeType: undefined
+        overrideMimeType: undefined,
+
+        //  withCredentials
+        withCredentials: withCredentials
 
     };
 };
diff --git a/src/loader/typedefs/XHRSettingsObject.js b/src/loader/typedefs/XHRSettingsObject.js
@@ -11,4 +11,5 @@
  * @property {(string|undefined)} [headerValue] - This value is used to populate the XHR `setRequestHeader` and is undefined by default.
  * @property {(string|undefined)} [requestedWith] - This value is used to populate the XHR `setRequestHeader` and is undefined by default.
  * @property {(string|undefined)} [overrideMimeType] - Provide a custom mime-type to use instead of the default.
+ * @property {boolean} [withCredentials=false] - The withCredentials property indicates whether or not cross-site Access-Control requests should be made using credentials such as cookies, authorization headers or TLS client certificates. Setting withCredentials has no effect on same-site requests.
  */
