#12698 closed bug (notabug)
broken CORS preflight request when setting Authorization header
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | undecided | Milestone: | None |
Component: | unfiled | Version: | 1.8.2 |
Keywords: | Cc: | ||
Blocked by: | Blocking: |
Description (last modified by )
This code generates a proper CORS preflight request due to the setting of the Authorization header:
(function() { x = new XMLHttpRequest(); x.open('POST','https://' + document.domain,false); x.onreadystatechange = function() { if( x.readyState === 4 ) { console.info(x.responseText); } }; x.setRequestHeader('Authorization', "test"); x.send(''); })();
This code generates a broken CORS preflight request (at least in Chrome):
(function() { $.ajax({ url: 'https://' + document.domain, method: 'POST', headers: { Authorization: 'test' }, success: function(text) { console.info(text); } }); })();
I believe this may be a bug
Change History (6)
comment:1 follow-up: 2 Changed 11 years ago by
Resolution: | → notabug |
---|---|
Status: | new → closed |
comment:2 Changed 11 years ago by
Replying to jaubourg:
The correct options if
type
notmethod
, so you're issueing a GET request here.
You're right that I accidentally used 'method' instead of 'type', but you're wrong that this fixes it. The problem persists even after fixing that problem.
I want to be sure I'm being really clear about the problem here. The problem is that neither POST nor GET requests can be issued cross-origin using jquery if the Authorization header is being set, because it generates a faulty OPTIONS request. This doesn't happen using the native DOM methods. Does that make sense?
comment:3 Changed 11 years ago by
I can verify what David said is still actual to the day I'm posting this comment (at version 1.9.1).
It doesn't even seem to matter if you use POST or GET - the OPTIONS preflight request doesn't contain the "Authorization" header, thus ending in an unauthorized request to the server.
comment:4 Changed 11 years ago by
Description: | modified (diff) |
---|
comment:5 Changed 11 years ago by
What I see here is that the first request is synchronous, while the second one is not. Also, it's still not clear what's happening and what's expected, since none is given (no log, no screen, nothing).
Would you be able to provide a verifiable test-case (ie. a page on the internet that shows the problem in a minimal fashion -- not a full-fledged web app)? If such a test case cannot be presented and the discrepencies between the expected and actual behaviours are not stated, we just cannot re-open this.
comment:6 Changed 10 years ago by
i have the same problem... OPTIONS has no additional header, but the POST/GET-Call has
The correct options if
type
notmethod
, so you're issueing a GET request here.