Side navigation
#4858 closed bug (duplicate)
Opened July 07, 2009 05:41AM UTC
Closed November 25, 2009 06:29PM UTC
Access control behaves differently with custom headers set - and jQ sets a custom header
| Reported by: | kesor | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | 1.4 |
| Component: | ajax | Version: | 1.3.2 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
According to the specs for Access-Control, using a 'POST' to a cross-domain should not trigger an OPTIONS pre-flight. Unless there are non-standard headers that is.
http://www.w3.org/TR/2007/WD-access-control-20071126/
https://developer.mozilla.org/en/HTTP_access_control
These two lines in jquery.js set a custom header, and cause a preflight OPTIONS request:
Set header so the called script knows that it's an XMLHttpRequest
xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
Would be great if it could be either disabled by default for cross-domain requests, or removed completely, or made optional with a provided switch to toggle it on and off.
Same bug in Dojo: http:trac.dojotoolkit.org/ticket/9486
Attachments (0)
Change History (1)
Changed November 25, 2009 06:29PM UTC by comment:1
| resolution: | → duplicate |
|---|---|
| status: | new → closed |
Duplicate of #4601.