update mercure doc to add clarification in authorization

Author: rooselle

mercure.rst

@@ -362,10 +362,16 @@ a JWT containing at least one target marking the update to the Hub.
 
 To provide this JWT, the subscriber can use a cookie,
 or a ``Authorization`` HTTP header.
-Cookies are automatically sent by the browsers when opening an ``EventSource`` connection.
+Cookies are automatically sent by the browsers when opening an ``EventSource`` connection if the ``withCredentials`` attribute is set to ``true``.
 Using cookies is the most secure and preferred way when the client is a web browser.
 If the client is not a web browser, then using an authorization header is the way to go.
 
+.. code-block:: javascript
+
+    const eventSource = new EventSource(hub, {
+        withCredentials: true
+    });
+
 .. tip::
 
     The native implementation of EventSource doesn't allow specifying headers.