From e6080ae7d9a5cae5cc79e2c31cdd41fae324c8c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Chlo=C3=A9=20Briquet?= <ch.briquet@outlook.com>
Date: Sun, 8 Dec 2019 13:00:49 +0100
Subject: [PATCH] [Mercure] update mercure doc to add clarification in
 authorization

---
 mercure.rst | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/mercure.rst b/mercure.rst
index 6660f6a38f1..e8a7664b32d 100644
--- a/mercure.rst
+++ b/mercure.rst
@@ -364,10 +364,17 @@ a JWT containing a topic selector matching by the update's topic.
 
 To provide this JWT, the subscriber can use a cookie,
 or a ``Authorization`` HTTP header.
-Cookies are automatically sent by the browsers when opening an ``EventSource`` connection.
+
+Cookies are automatically sent by the browsers when opening an ``EventSource`` connection if the ``withCredentials`` attribute is set to ``true``.
 Using cookies is the most secure and preferred way when the client is a web browser.
 If the client is not a web browser, then using an authorization header is the way to go.
 
+.. code-block:: javascript
+
+    const eventSource = new EventSource(hub, {
+        withCredentials: true
+    });
+
 .. tip::
 
     The native implementation of EventSource doesn't allow specifying headers.