Skip to main content

Bug Tracker

Side navigation

#15177 closed bug (cantfix)

Opened July 04, 2014 12:03PM UTC

Closed July 04, 2014 03:37PM UTC

Last modified July 10, 2014 09:37PM UTC

preflight OPTIONS not sent when credentials are given as arguments to xhr.open()

Reported by: oberhamsi Owned by:
Priority: undecided Milestone: None
Component: ajax Version: 2.1.1
Keywords: cors Cc:
Blocked by: Blocking:
Description

Tested with jquery master from github and Firefox 30 and Chrome 35 beta.

The preflight OPTIONS request is not sent when credentials are specified

as arguments to XMLHttpRequest.open().

Manually adding the "Authorization" header works in both browsers; i.e.: the OPTIONS request is sent before the actual response.

The point of the examples below is to demonstrate that the required OPTIONS requests is sent by the browsers in case 1) but not in case 2). Both requests fail to actually load the content because the *server's response* to the OPTIONS request is wrong.

1) OPTIONS request is correctly sent

    var url = "https://test-cors.appspot.com/";
    var username = "foo";
    var password = "bar";

    var xhr = new XMLHttpRequest();
    xhr.open('GET', url, true);
    xhr.withCredentials = true;
    xhr.setRequestHeader("Authorization", "Basic " + btoa(username + ":" + password));
    xhr.send(); 

2) OPTIONS request is *not* sent

   var url = "https://test-cors.appspot.com/";
    var username = "foo";
    var password = "bar";

    var xhr = new XMLHttpRequest();
    xhr.open('GET', url, true, username, password);
    xhr.withCredentials = true;
    xhr.send(); 
Attachments (0)
Change History (5)

Changed July 04, 2014 12:14PM UTC by oberhamsi comment:1

Changed July 04, 2014 03:37PM UTC by markelog comment:2

resolution: → cantfix
status: newclosed

See discussion in the pull request

Changed July 04, 2014 04:44PM UTC by oberhamsi comment:3

found a public server to make the examples work:

1) per spec: both, the preflight OPTIONS (without credentials) and the normal request (with credentials) are sent: http://jsfiddle.net/c5wS8/

2) preflight OPTIONS not sent resulting in a basicauth popup in chrome: http://jsfiddle.net/kukq8/

if this is intended behaviour, i would file a documentation bug regarding this ;)

Changed July 10, 2014 02:06PM UTC by oberhamsi comment:4

per pullrequest discussion it now seems this is a browser bug.

could you guys please re-open this bug or the other one with the same problem: http://bugs.jquery.com/ticket/12698

or is this really not to be fixed?

Changed July 10, 2014 09:37PM UTC by dmethvin comment:5

Do you have a proposal on how to work around this browser bug?