esri.config.defaults.io.enableCors = true | false;
esri.setRequestPreCallback(function (ioArgs) { ioArgs.withCredentials = (shouldUseCredentials(ioArgs.url) === true); return ioArgs; });
Solved my problem by delving into the API code. (Thank you so much for being transparent, ESRI!) Was actually quite simple once you read through it.
It would still be nice to have the option. But as long as I can override/wrap functions, I'm good.
I would reveal my solution. But I don't think it's a good idea to expose a hack to the mass. Would be better to let ESRI add the functionality, in my opinion.
if (!dojo._xhr) { dojo._xhr = dojo.xhr; } dojo.xhr = function() { try { var args = arguments[1]; args["withCredentials"] = true; arguments[1] = args; } catch (e) { console.log(e); } return dojo._xhr(arguments[0], arguments[1]); };