Bug Tracker

Ticket #8423 (closed bug: fixed)

Opened 4 years ago

Last modified 3 years ago

Cross origin AJAX request always preflighted

Reported by: Arjen Owned by: jaubourg
Priority: high Milestone: 1.5.2
Component: ajax Version: 1.5.1
Keywords: Cc:
Blocking: Blocked by:

Description

By setting a custom header, X-Requested-With, all cross-domain ajax request will be pre-flighted and need an extra OPTIONS http request.

 http://www.w3.org/TR/cors/#cross-origin-request

"If the force preflight flag is false and the following conditions are all true, follow the simple cross-origin request algorithm:

  • The request method is a simple method.
  • Each of the custom request headers is a simple header or custom request headers is empty."

So GET, HEAD and POST calls with 'simple' headers ( http://www.w3.org/TR/cors/#simple-header) don't need preflight.

The are some restrictions on the allowed values for the Content-Type header, only application/x-www-form-urlencoded, multipart/form-data, or text/plain are considered 'safe' ( https://developer.mozilla.org/en/HTTP_access_control#Preflighted_requests) This is also mentioned in de WD:  http://www.w3.org/TR/cors/#design-decision-faq

Suggested fix:

  1. Don't set a custom X-Requested-With header at all. They don't provide any extra security at all.
  2. Only set the header when request must be preflighted, i.e. has custom headers, type is not one of GET, POST or HEAD or Content-Type is not 'safe'.

Change History

comment:1 Changed 4 years ago by jaubourg

  • Owner set to jaubourg
  • Priority changed from undecided to high
  • Status changed from new to assigned
  • Component changed from unfiled to ajax
  • Milestone changed from 1.next to 1.5.2

comment:2 Changed 4 years ago by jaubourg

  • Status changed from assigned to closed
  • Resolution set to fixed

Fixes #8423. Never set X-Requested-With header automagically for cross-domain requests.

Changeset: 6c124d3dd47fb399c7512c5c3b3420e438c32b65

Note: See TracTickets for help on using tickets.