broken CORS preflight request when setting Authorization header

Reported by:	david.millet@gmail.com	Owned by:
Priority:	undecided	Milestone:	None
Component:	unfiled	Version:	1.8.2
Keywords:		Cc:
Blocked by:		Blocking:

Description

This code generates a proper CORS preflight request due to the setting of the Authorization header:

(function() {
  x = new XMLHttpRequest();
  x.open('POST','https://' + document.domain,false);
  x.onreadystatechange = function() {
    if( x.readyState === 4 ) {
      console.info(x.responseText);
    }
  };
  x.setRequestHeader('Authorization', "test");
  x.send('');
})();

This code generates a broken CORS preflight request (at least in Chrome):

(function() {
  $.ajax({
    url: 'https://' + document.domain,
    method: 'POST',
    headers: {
      Authorization: 'test'
    },
    success: function(text) {
      console.info(text);
    }
  });
})();

I believe this may be a bug

Attachments (0)

Change History (6)

Changed October 15, 2012 02:18PM UTC by jaubourg comment:1

resolution:	→ notabug
status:	new → closed

The correct options if type not method, so you're issueing a GET request here.

Changed October 15, 2012 03:43PM UTC by david.millet@gmail.com comment:2

Replying to [comment:1 jaubourg]:

The correct options if type not method, so you're issueing a GET request here.

You're right that I accidentally used 'method' instead of 'type', but you're wrong that this fixes it. The problem persists even after fixing that problem.

I want to be sure I'm being really clear about the problem here. The problem is that neither POST nor GET requests can be issued cross-origin using jquery if the Authorization header is being set, because it generates a faulty OPTIONS request. This doesn't happen using the native DOM methods. Does that make sense?

Changed February 14, 2013 04:01PM UTC by Or comment:3

I can verify what David said is still actual to the day I'm posting this comment (at version 1.9.1).

It doesn't even seem to matter if you use POST or GET - the OPTIONS preflight request doesn't contain the "Authorization" header, thus ending in an unauthorized request to the server.

Changed February 14, 2013 04:22PM UTC by jaubourg comment:4

description:	This code generates a proper CORS preflight request due to the setting of the Authorization header: \ \ (function() { x = new XMLHttpRequest(); x.open('POST','https://' + document.domain,false); x.onreadystatechange = function() { if(x.readyState === 4) console.info(x.responseText); }; x.setRequestHeader('Authorization', "test"); x.send(''); })(); \ \ This code generates a broken CORS preflight request (at least in Chrome): \ \ (function() { $.ajax({ url: 'https://' + document.domain, method: 'POST', headers: { Authorization: 'test' }, success: function(text) { console.info(text); } }); })(); \ \ I believe this may be a bug → This code generates a proper CORS preflight request due to the setting of the Authorization header: \ \ {{{#!js \ (function() { \ x = new XMLHttpRequest(); \ x.open('POST','https://' + document.domain,false); \ x.onreadystatechange = function() { \ if( x.readyState === 4 ) { \ console.info(x.responseText); \ } \ }; \ x.setRequestHeader('Authorization', "test"); \ x.send(''); \ })(); \ }}} \ \ This code generates a broken CORS preflight request (at least in Chrome): \ \ {{{#!js \ (function() { \ $.ajax({ \ url: 'https://' + document.domain, \ method: 'POST', \ headers: { \ Authorization: 'test' \ }, \ success: function(text) { \ console.info(text); \ } \ }); \ })(); \ }}} \ \ I believe this may be a bug

description:

This code generates a proper CORS preflight request due to the setting of the Authorization header: \ \ (function() { x = new XMLHttpRequest(); x.open('POST','https://' + document.domain,false); x.onreadystatechange = function() { if(x.readyState === 4) console.info(x.responseText); }; x.setRequestHeader('Authorization', "test"); x.send(''); })(); \ \ This code generates a broken CORS preflight request (at least in Chrome): \ \ (function() { $.ajax({ url: 'https://' + document.domain, method: 'POST', headers: { Authorization: 'test' }, success: function(text) { console.info(text); } }); })(); \ \ I believe this may be a bug → This code generates a proper CORS preflight request due to the setting of the Authorization header: \ \ {{{#!js \ (function() { \ x = new XMLHttpRequest(); \ x.open('POST','https://' + document.domain,false); \ x.onreadystatechange = function() { \ if( x.readyState === 4 ) { \ console.info(x.responseText); \ } \ }; \ x.setRequestHeader('Authorization', "test"); \ x.send(''); \ })(); \ }}} \ \ This code generates a broken CORS preflight request (at least in Chrome): \ \ {{{#!js \ (function() { \ $.ajax({ \ url: 'https://' + document.domain, \ method: 'POST', \ headers: { \ Authorization: 'test' \ }, \ success: function(text) { \ console.info(text); \ } \ }); \ })(); \ }}} \ \ I believe this may be a bug

Changed February 14, 2013 04:26PM UTC by jaubourg comment:5

What I see here is that the first request is synchronous, while the second one is not. Also, it's still not clear what's happening and what's expected, since none is given (no log, no screen, nothing).

Would you be able to provide a verifiable test-case (ie. a page on the internet that shows the problem in a minimal fashion -- not a full-fledged web app)? If such a test case cannot be presented and the discrepencies between the expected and actual behaviours are not stated, we just cannot re-open this.

Changed March 27, 2014 04:21PM UTC by anonymous comment:6

i have the same problem... OPTIONS has no additional header, but the POST/GET-Call has

Side navigation

#12698 closed bug (notabug)