Bug Tracker

Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#12698 closed bug (notabug)

broken CORS preflight request when setting Authorization header

Reported by: david.millet@… Owned by:
Priority: undecided Milestone: None
Component: unfiled Version: 1.8.2
Keywords: Cc:
Blocked by: Blocking:

Description (last modified by jaubourg)

This code generates a proper CORS preflight request due to the setting of the Authorization header:

(function() {
  x = new XMLHttpRequest();
  x.open('POST','https://' + document.domain,false);
  x.onreadystatechange = function() {
    if( x.readyState === 4 ) {
  x.setRequestHeader('Authorization', "test");

This code generates a broken CORS preflight request (at least in Chrome):

(function() {
    url: 'https://' + document.domain,
    method: 'POST',
    headers: {
      Authorization: 'test'
    success: function(text) {

I believe this may be a bug

Change History (6)

comment:1 Changed 5 years ago by jaubourg

Resolution: notabug
Status: newclosed

The correct options if type not method, so you're issueing a GET request here.

comment:2 in reply to:  1 Changed 5 years ago by david.millet@…

Replying to jaubourg:

The correct options if type not method, so you're issueing a GET request here.

You're right that I accidentally used 'method' instead of 'type', but you're wrong that this fixes it. The problem persists even after fixing that problem.

I want to be sure I'm being really clear about the problem here. The problem is that neither POST nor GET requests can be issued cross-origin using jquery if the Authorization header is being set, because it generates a faulty OPTIONS request. This doesn't happen using the native DOM methods. Does that make sense?

comment:3 Changed 5 years ago by Or

I can verify what David said is still actual to the day I'm posting this comment (at version 1.9.1).

It doesn't even seem to matter if you use POST or GET - the OPTIONS preflight request doesn't contain the "Authorization" header, thus ending in an unauthorized request to the server.

comment:4 Changed 5 years ago by jaubourg

Description: modified (diff)

comment:5 Changed 5 years ago by jaubourg

What I see here is that the first request is synchronous, while the second one is not. Also, it's still not clear what's happening and what's expected, since none is given (no log, no screen, nothing).

Would you be able to provide a verifiable test-case (ie. a page on the internet that shows the problem in a minimal fashion -- not a full-fledged web app)? If such a test case cannot be presented and the discrepencies between the expected and actual behaviours are not stated, we just cannot re-open this.

comment:6 Changed 4 years ago by anonymous

i have the same problem... OPTIONS has no additional header, but the POST/GET-Call has

Note: See TracTickets for help on using tickets.