diff --git a/index.js b/index.js
index 2415013..1e5c48a 100644
--- a/index.js
+++ b/index.js
@@ -191,9 +191,12 @@ function _createXHR(options) {
     xhr.ontimeout = errorFunc
     xhr.open(method, uri, !sync, options.username, options.password)
     //has to be after open
-    if(!sync) {
-        xhr.withCredentials = !!options.withCredentials
-    }
+    // Set withCredentials for both sync and async requests when explicitly requested.
+    // Previously this was guarded by `if (!sync)` to work around a Firefox crash
+    // when withCredentials was always forced on sync requests. Setting it only when
+    // the caller opts in (options.withCredentials is truthy) is safe in all modern
+    // browsers for both sync and async. See: https://github.com/naugtur/xhr/issues/168
+    xhr.withCredentials = !!options.withCredentials
     // Cannot set timeout with sync request
     // not setting timeout on the xhr object, because of old webkits etc. not handling that correctly
     // both npm's request and jquery 1.x use this kind of timeout, so this is being consistent