Related to #49.

Minimal repro: https://github.com/pswai/nise-defake-issue

Considering this case:

sinon.FakeXMLHttpRequest.useFilters = true;
sinon.FakeXMLHttpRequest.addFilter(() => true);

const server = sinon.fakeServer.create();

const xhr = new XMLHttpRequest();
xhr.open("GET", "http://www.mocky.io/v2/5e8aa67e2d00003c1a1a473e", true);

// Setting `withCredentials` applies only to the FakeXhr instance.
// The `workingXHR` in `defake` does not receive this.
xhr.withCredentials = true;
xhr.send();

xhr.send() calls the send function defined in the defake function. Since defake is called during open, any modification to the fake XHR does not reflect on the actual XHR. In this example, if we put a breakpoint in send, we can see that withCredentials is false for the actual XHR.

I think we can either utilise Proxy to setup trap for setting properties after defake, or do copyAttrs again in send.

This was discovered when I was trying to use unsafeHeadersEnabled: false with fake server and noticed that withCredentials didn't work 😅