Side navigation
#15177 closed bug (cantfix)
Opened July 04, 2014 12:03PM UTC
Closed July 04, 2014 03:37PM UTC
Last modified July 10, 2014 09:37PM UTC
preflight OPTIONS not sent when credentials are given as arguments to xhr.open()
| Reported by: | oberhamsi | Owned by: | |
|---|---|---|---|
| Priority: | undecided | Milestone: | None |
| Component: | ajax | Version: | 2.1.1 |
| Keywords: | cors | Cc: | |
| Blocked by: | Blocking: |
Description
Tested with jquery master from github and Firefox 30 and Chrome 35 beta.
The preflight OPTIONS request is not sent when credentials are specified
as arguments to XMLHttpRequest.open().
Manually adding the "Authorization" header works in both browsers; i.e.: the OPTIONS request is sent before the actual response.
The point of the examples below is to demonstrate that the required OPTIONS requests is sent by the browsers in case 1) but not in case 2). Both requests fail to actually load the content because the *server's response* to the OPTIONS request is wrong.
1) OPTIONS request is correctly sent
var url = "https://test-cors.appspot.com/";
var username = "foo";
var password = "bar";
var xhr = new XMLHttpRequest();
xhr.open('GET', url, true);
xhr.withCredentials = true;
xhr.setRequestHeader("Authorization", "Basic " + btoa(username + ":" + password));
xhr.send();
2) OPTIONS request is *not* sent
var url = "https://test-cors.appspot.com/";
var username = "foo";
var password = "bar";
var xhr = new XMLHttpRequest();
xhr.open('GET', url, true, username, password);
xhr.withCredentials = true;
xhr.send();
Attachments (0)
Change History (5)
Changed July 04, 2014 12:14PM UTC by comment:1
Changed July 04, 2014 03:37PM UTC by comment:2
| resolution: | → cantfix |
|---|---|
| status: | new → closed |
See discussion in the pull request
Changed July 04, 2014 04:44PM UTC by comment:3
found a public server to make the examples work:
1) per spec: both, the preflight OPTIONS (without credentials) and the normal request (with credentials) are sent: http://jsfiddle.net/c5wS8/
2) preflight OPTIONS not sent resulting in a basicauth popup in chrome: http://jsfiddle.net/kukq8/
if this is intended behaviour, i would file a documentation bug regarding this ;)
Changed July 10, 2014 02:06PM UTC by comment:4
per pullrequest discussion it now seems this is a browser bug.
could you guys please re-open this bug or the other one with the same problem: http://bugs.jquery.com/ticket/12698
or is this really not to be fixed?
Changed July 10, 2014 09:37PM UTC by comment:5
Do you have a proposal on how to work around this browser bug?
pull request: https://github.com/jquery/jquery/pull/1614