diff --git a/README.md b/README.md
index 48b7ff3..94b3b38 100644
--- a/README.md
+++ b/README.md
@@ -33,7 +33,8 @@ type XhrOptions = String | {
     timeout: Number?,
     headers: Object?,
     body: String?,
-    json: Object?
+    json: Object?,
+    withCredentials: Boolean?
 }
 xhr := (XhrOptions, Callback<Response>) => Request
 ```
@@ -100,6 +101,13 @@ A valid JSON serializable value to be send to the server. If this
 
 Additionally the response body is parsed as JSON
 
+### `options.withCredentials`
+
+Specify whether user credentials are to be included in a cross-origin
+    request. Sets [`xhr.withCredentials`][10]. Defaults to true
+    when `options.cors` is true.
+
+
 ## MIT Licenced
 
   [1]: http://xhr.spec.whatwg.org/#the-send()-method
@@ -111,3 +119,4 @@ Additionally the response body is parsed as JSON
   [7]: http://xhr.spec.whatwg.org/#the-responsetext-attribute
   [8]: http://xhr.spec.whatwg.org/#the-responsexml-attribute
   [9]: http://xhr.spec.whatwg.org/#the-setrequestheader()-method
+  [10]: http://xhr.spec.whatwg.org/#the-withcredentials-attribute
diff --git a/index.js b/index.js
index 2cb5b79..b188625 100644
--- a/index.js
+++ b/index.js
@@ -56,9 +56,11 @@ function createXHR(options, callback) {
     // hate IE
     xhr.ontimeout = noop
     xhr.open(method, uri, !sync)
-    if (options.cors) {
+
+    if (options.cors && options.withCredentials !== false) {
         xhr.withCredentials = true
     }
+
     // Cannot set timeout with sync request
     if (!sync) {
         xhr.timeout = "timeout" in options ? options.timeout : 5000
diff --git a/test/index.js b/test/index.js
index 062fc8d..d975c6c 100644
--- a/test/index.js
+++ b/test/index.js
@@ -20,3 +20,26 @@ test("can GET current page", function(assert) {
     })
 })
 
+test("withCredentials option", function(assert) {
+    var req = xhr({}, function () {})
+    assert.ok(
+        !req.withCredentials,
+        "withCredentials not true when nothing set in options"
+    )
+    req = xhr({
+        cors: true
+    }, function () {})
+    assert.ok(
+        req.withCredentials,
+        "withCredentials set to true when cors is true in options"
+    )
+    req = xhr({
+        cors: true,
+        withCredentials: false
+    }, function () {})
+    assert.ok(
+        !req.withCredentials,
+        "withCredentials set to false when set to false in options"
+    )
+    assert.end()
+})