When embedding the viewer in some way or another, letting the parent application provide credentials for the viewer (for use with its own requests) may be necessary when the server performs access control. Suggestion: Such concerns may arguably be out-of-scope for a viewer, in which case it might be easier and more flexible (especially given the wide variety of mechanisms used to provide credentials in HTTP) to allow the parent application to provide the fetch function or XMLHttpRequest constructor function (whichever is used eventually) during initialization of the viewer instead of the viewer using the global one. That way an application can hook into the process in any way it wants (including adding HTTP headers such as the Authorization header for credentials) in a way that is completely transparent and future-proof for the viewer.
This is implemented by the following changeset (will be part of 2.0 release of the Stone Web viewer): https://hg.orthanc-server.com/orthanc-stone/rev/28755e42c007 For instance, if the user opens the Stone Web viewer using the following URL: http://.../index.html?study=<StudyInstanceUID1>&token=Hello Then each request to the DICOMweb server will set the HTTP header: "Authorization: Bearer Hello". Note that it is actually *not* possible to directly expose the XMLHttpRequest objects in JavaScript, as such objects are internally created by the C "Fetch" API of WebAssembly: https://emscripten.org/docs/api_reference/fetch.html