APIDevTools
diff --git a/‎dist/ref-parser.js
+549-424 b/‎dist/ref-parser.js
+549-424
diff --git a/‎dist/ref-parser.js.map
+30-32 b/‎dist/ref-parser.js.map
+30-32
diff --git a/‎dist/ref-parser.min.js
+74-72 b/‎dist/ref-parser.min.js
+74-72
diff --git a/‎dist/ref-parser.min.js.map
+31-33 b/‎dist/ref-parser.min.js.map
+31-33
diff --git a/‎docs/options.md
+13-13 b/‎docs/options.md
+13-13
diff --git a/‎lib/options.js
+9-4 b/‎lib/options.js
+9-4
diff --git a/‎package.json
+1-1 b/‎package.json
+1-1
diff --git a/‎tests/index.html
+2-2 b/‎tests/index.html
+2-2
diff --git a/‎tests/specs/cors/cors.spec.js
+26-17 b/‎tests/specs/cors/cors.spec.js
+26-17
@@ -21,16 +21,16 @@ $RefParser.dereference("my-schema.yaml", {
 });
 ```
 
-|Option           |Type     |Default   |Description
-|:----------------|:--------|:---------|:----------
-|`allow.json`     |bool     |true      |Determines whether JSON files are supported
-|`allow.yaml`     |bool     |true      |Determines whether YAML files are supported<br> (note: all JSON files are also valid YAML files)
-|`allow.empty`    |bool     |true      |Determines whether it's ok for a `$ref` pointer to point to an empty file
-|`allow.unknown`  |bool     |true      |Determines whether it's ok for a `$ref` pointer to point to an unknown/unsupported file type (such as HTML, text, image, etc.). The default is to resolve unknown files as a [`Buffer`](https://nodejs.org/api/buffer.html#buffer_class_buffer)
-|`$refs.internal` |bool     |true      |Determines whether internal `$ref` pointers (such as `#/definitions/widget`) will be dereferenced when calling [`dereference()`](ref-parser.md#dereferenceschema-options-callback).  Either way, you'll still be able to get the value using [`$Refs.get()`](refs.md#getref-options)
-|`$refs.external` |bool     |true      |Determines whether external `$ref` pointers get resolved/dereferenced. If `false`, then no files/URLs will be retrieved.  Use this if you only want to allow single-file schemas.
-|`$refs.circular` |bool or "ignore"     |true      |Determines whether [circular `$ref` pointers](README.md#circular-refs) are allowed. If `false`, then a `ReferenceError` will be thrown if the schema contains a circular reference.<br><br> If set to `"ignore"`, then circular references will _not_ be dereferenced, even when calling [`dereference()`](ref-parser.md#dereferenceschema-options-callback). No error will be thrown, but the [`$Refs.circular`](refs.md#circular) property will still be set to `true`.
-|`cache.fs`       |number   |60        |<a name="caching"></a>The length of time (in seconds) to cache local files.  The default is one minute.  Setting to zero will cache forever.
-|`cache.http`     |number   |300       |The length of time (in seconds) to cache HTTP URLs.  The default is five minutes.  Setting to zero will cache forever.
-|`cache.https`    |number   |300       |The length of time (in seconds) to cache HTTPS URLs.  The default is five minutes.  Setting to zero will cache forever.
-|`http.withCredentials`    |bool   |true       |When used in browser specifies `withCredentials` option of `XMLHttpRequest` object. Setting to `false` allows loading via CORS with `Access-Control-Allow-Origin` set to `*`
+|Option                |Type     |Default   |Description
+|:---------------------|:--------|:---------|:----------
+|`allow.json`          |bool     |true      |Determines whether JSON files are supported
+|`allow.yaml`          |bool     |true      |Determines whether YAML files are supported<br> (note: all JSON files are also valid YAML files)
+|`allow.empty`         |bool     |true      |Determines whether it's ok for a `$ref` pointer to point to an empty file
+|`allow.unknown`       |bool     |true      |Determines whether it's ok for a `$ref` pointer to point to an unknown/unsupported file type (such as HTML, text, image, etc.). The default is to resolve unknown files as a [`Buffer`](https://nodejs.org/api/buffer.html#buffer_class_buffer)
+|`$refs.internal`      |bool     |true      |Determines whether internal `$ref` pointers (such as `#/definitions/widget`) will be dereferenced when calling [`dereference()`](ref-parser.md#dereferenceschema-options-callback).  Either way, you'll still be able to get the value using [`$Refs.get()`](refs.md#getref-options)
+|`$refs.external`      |bool     |true      |Determines whether external `$ref` pointers get resolved/dereferenced. If `false`, then no files/URLs will be retrieved.  Use this if you only want to allow single-file schemas.
+|`$refs.circular`      |bool or "ignore"     |true      |Determines whether [circular `$ref` pointers](README.md#circular-refs) are allowed. If `false`, then a `ReferenceError` will be thrown if the schema contains a circular reference.<br><br> If set to `"ignore"`, then circular references will _not_ be dereferenced, even when calling [`dereference()`](ref-parser.md#dereferenceschema-options-callback). No error will be thrown, but the [`$Refs.circular`](refs.md#circular) property will still be set to `true`.
+|`cache.fs`            |number   |60        |<a name="caching"></a>The length of time (in seconds) to cache local files.  The default is one minute.  Setting to zero will cache forever.
+|`cache.http`          |number   |300       |The length of time (in seconds) to cache HTTP URLs.  The default is five minutes.  Setting to zero will cache forever.
+|`cache.https`         |number   |300       |The length of time (in seconds) to cache HTTPS URLs.  The default is five minutes.  Setting to zero will cache forever.
+|`http.withCredentials`|bool     |false     |When used in browser specifies [`withCredentials`](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials) option of [`XMLHttpRequest`](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest) object. Set this to `true` if you're downloading files from a CORS-enabled server that requries authentication
@@ -92,11 +92,16 @@ function $RefParserOptions(options) {
     https: 5 * 60 // 5 minutes
   };
 
-  /* http options */
+  /**
+   * HTTP request options
+   */
   this.http = {
-    /* withCredentials option of XMLHttpRequest */
-    withCredentials: true
-  }
+    /**
+     * The `withCredentials` option of XMLHttpRequest.
+     * Set this to `true` if you're downloading files from a CORS-enabled server that requires authentication
+     */
+    withCredentials: false
+  };
 
   merge(options, this);
 }
 
@@ -31,7 +31,7 @@
     "upgrade": "ncu --upgradeAll && npm update && bower update",
     "bump": "bump --prompt --grep lib/bundle.js dist/* --tag --push --all",
     "release": "npm run upgrade && npm test && npm run bump && npm publish",
-    "start": "http-server -o -c-1"
+    "start": "npm run watch & http-server -o -c-1"
   },
   "repository": {
     "type": "git",
 
@@ -53,6 +53,8 @@
     <script src="specs/circular-extended/circular-extended.dereferenced.js"></script>
     <script src="specs/circular-extended/circular-extended.spec.js"></script>
 
+    <script src="specs/cors/cors.spec.js"></script>
+
     <script src="specs/deep/deep.parsed.js"></script>
     <script src="specs/deep/deep.dereferenced.js"></script>
     <script src="specs/deep/deep.bundled.js"></script>
@@ -83,8 +85,6 @@
     <script src="specs/callbacks.spec.js"></script>
     <script src="specs/yaml.spec.js"></script>
 
-    <script src="specs/cors.spec.js"></script>
-
     <script>
       mocha.run();
     </script>
 
@@ -1,21 +1,22 @@
 'use strict';
 
-describe('parse from CORS with Access-Control-Allow-Origin: *', function() {
-  var windowOnError, testDone;
-
-  beforeEach(function() {
-    windowOnError = global.onerror;
-    global.onerror = function() {
-      testDone();
-      return true;
-    }
-  });
-
-  afterEach(function() {
-    global.onerror = windowOnError;
+describe('CORS support', function() {
+  it('should download successfully by default', function() {
+    // Swagger.io has CORS enabled, with "Access-Control-Allow-Origin" set to a wildcard ("*").
+    // This should work by-default.
+    var parser = new $RefParser();
+    return parser
+      .parse('http://petstore.swagger.io:80/v2/swagger.json')
+      .then(function(schema) {
+        expect(schema).to.be.an('object');
+        expect(schema).not.to.be.empty;
+        expect(parser.schema).to.equal(schema);
+      });
   });
 
-  it('should parse successfully with http.withCredentials = false', function() {
+  it('should download successfully with http.withCredentials = false (default)', function() {
+    // Swagger.io has CORS enabled, with "Access-Control-Allow-Origin" set to a wildcard ("*").
+    // So, withCredentials MUST be false (this is the default, but we're testing it explicitly here)
     var parser = new $RefParser();
     return parser
       .parse('http://petstore.swagger.io:80/v2/swagger.json', {
@@ -29,8 +30,14 @@ describe('parse from CORS with Access-Control-Allow-Origin: *', function() {
   });
 
   if (userAgent.isBrowser) {
-    it('should throw error in browser if http.withCredentials = true (default)', function(done) {
-      testDone = done;
+    it('should throw error in browser if http.withCredentials = true', function() {
+      // Some old Webkit browsers throw a global error
+      var oldOnError = global.onerror;
+      global.onerror = function() {
+        global.onerror = oldOnError; // restore the original error handler (failsafe)
+        return true;  // ignore the error
+      };
+
       var parser = new $RefParser();
       return parser
         .parse('http://petstore.swagger.io:80/v2/swagger.json', {
@@ -39,7 +46,9 @@ describe('parse from CORS with Access-Control-Allow-Origin: *', function() {
         .then(helper.shouldNotGetCalled)
         .catch(function(err) {
           expect(err.message).to.contain('Error downloading file');
-          done();
+
+          // Restore the original error handler
+          global.onerror = oldOnError;
         });
     });
   }