Side navigation
#12698 closed bug (notabug)
Opened October 11, 2012 12:49AM UTC
Closed October 15, 2012 02:18PM UTC
Last modified March 27, 2014 04:21PM UTC
broken CORS preflight request when setting Authorization header
Reported by: | david.millet@gmail.com | Owned by: | |
---|---|---|---|
Priority: | undecided | Milestone: | None |
Component: | unfiled | Version: | 1.8.2 |
Keywords: | Cc: | ||
Blocked by: | Blocking: |
Description
This code generates a proper CORS preflight request due to the setting of the Authorization header:
(function() { x = new XMLHttpRequest(); x.open('POST','https://' + document.domain,false); x.onreadystatechange = function() { if( x.readyState === 4 ) { console.info(x.responseText); } }; x.setRequestHeader('Authorization', "test"); x.send(''); })();
This code generates a broken CORS preflight request (at least in Chrome):
(function() { $.ajax({ url: 'https://' + document.domain, method: 'POST', headers: { Authorization: 'test' }, success: function(text) { console.info(text); } }); })();
I believe this may be a bug
Attachments (0)
Change History (6)
Changed October 15, 2012 02:18PM UTC by comment:1
resolution: | → notabug |
---|---|
status: | new → closed |
Changed October 15, 2012 03:43PM UTC by comment:2
Replying to [comment:1 jaubourg]:
The correct options iftype
notmethod
, so you're issueing a GET request here.
You're right that I accidentally used 'method' instead of 'type', but you're wrong that this fixes it. The problem persists even after fixing that problem.
I want to be sure I'm being really clear about the problem here. The problem is that neither POST nor GET requests can be issued cross-origin using jquery if the Authorization header is being set, because it generates a faulty OPTIONS request. This doesn't happen using the native DOM methods. Does that make sense?
Changed February 14, 2013 04:01PM UTC by comment:3
I can verify what David said is still actual to the day I'm posting this comment (at version 1.9.1).
It doesn't even seem to matter if you use POST or GET - the OPTIONS preflight request doesn't contain the "Authorization" header, thus ending in an unauthorized request to the server.
Changed February 14, 2013 04:22PM UTC by comment:4
description: | This code generates a proper CORS preflight request due to the setting of the Authorization header: \ \ (function() { x = new XMLHttpRequest(); x.open('POST','https://' + document.domain,false); x.onreadystatechange = function() { if(x.readyState === 4) console.info(x.responseText); }; x.setRequestHeader('Authorization', "test"); x.send(''); })(); \ \ This code generates a broken CORS preflight request (at least in Chrome): \ \ (function() { $.ajax({ url: 'https://' + document.domain, method: 'POST', headers: { Authorization: 'test' }, success: function(text) { console.info(text); } }); })(); \ \ I believe this may be a bug → This code generates a proper CORS preflight request due to the setting of the Authorization header: \ \ {{{#!js \ (function() { \ x = new XMLHttpRequest(); \ x.open('POST','https://' + document.domain,false); \ x.onreadystatechange = function() { \ if( x.readyState === 4 ) { \ console.info(x.responseText); \ } \ }; \ x.setRequestHeader('Authorization', "test"); \ x.send(''); \ })(); \ }}} \ \ This code generates a broken CORS preflight request (at least in Chrome): \ \ {{{#!js \ (function() { \ $.ajax({ \ url: 'https://' + document.domain, \ method: 'POST', \ headers: { \ Authorization: 'test' \ }, \ success: function(text) { \ console.info(text); \ } \ }); \ })(); \ }}} \ \ I believe this may be a bug |
---|
Changed February 14, 2013 04:26PM UTC by comment:5
What I see here is that the first request is synchronous, while the second one is not. Also, it's still not clear what's happening and what's expected, since none is given (no log, no screen, nothing).
Would you be able to provide a verifiable test-case (ie. a page on the internet that shows the problem in a minimal fashion -- not a full-fledged web app)? If such a test case cannot be presented and the discrepencies between the expected and actual behaviours are not stated, we just cannot re-open this.
Changed March 27, 2014 04:21PM UTC by comment:6
i have the same problem... OPTIONS has no additional header, but the POST/GET-Call has
The correct options if
type
notmethod
, so you're issueing a GET request here.