Ticket #4858 (closed bug: duplicate)
Access control behaves differently with custom headers set - and jQ sets a custom header
|Reported by:||kesor||Owned by:|
According to the specs for Access-Control, using a 'POST' to a cross-domain should not trigger an OPTIONS pre-flight. Unless there are non-standard headers that is.
These two lines in jquery.js set a custom header, and cause a preflight OPTIONS request:
Set header so the called script knows that it's an XMLHttpRequest xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
Would be great if it could be either disabled by default for cross-domain requests, or removed completely, or made optional with a provided switch to toggle it on and off.
Same bug in Dojo: http://trac.dojotoolkit.org/ticket/9486