Side navigation
#8423 closed bug (fixed)
Opened March 02, 2011 02:06PM UTC
Closed March 06, 2011 11:42PM UTC
Last modified March 09, 2012 08:09AM UTC
Cross origin AJAX request always preflighted
Reported by: | Arjen | Owned by: | jaubourg |
---|---|---|---|
Priority: | high | Milestone: | 1.5.2 |
Component: | ajax | Version: | 1.5.1 |
Keywords: | Cc: | ||
Blocked by: | Blocking: |
Description
By setting a custom header, X-Requested-With, all cross-domain ajax request will be pre-flighted and need an extra OPTIONS http request.
http://www.w3.org/TR/cors/#cross-origin-request
"If the force preflight flag is false and the following conditions are all true, follow the simple cross-origin request algorithm:
- The request method is a simple method.
- Each of the custom request headers is a simple header or custom request headers is empty."
So GET, HEAD and POST calls with 'simple' headers (http://www.w3.org/TR/cors/#simple-header) don't need preflight.
The are some restrictions on the allowed values for the Content-Type header, only application/x-www-form-urlencoded, multipart/form-data, or text/plain are considered 'safe' (https://developer.mozilla.org/en/HTTP_access_control#Preflighted_requests) This is also mentioned in de WD: http://www.w3.org/TR/cors/#design-decision-faq
Suggested fix:
1. Don't set a custom X-Requested-With header at all. They don't provide any extra security at all.
2. Only set the header when request must be preflighted, i.e. has custom headers, type is not one of GET, POST or HEAD or Content-Type is not 'safe'.
Attachments (0)
Change History (2)
Changed March 06, 2011 11:41PM UTC by comment:1
component: | unfiled → ajax |
---|---|
milestone: | 1.next → 1.5.2 |
owner: | → jaubourg |
priority: | undecided → high |
status: | new → assigned |