Bug Tracker

Changes between Initial Version and Version 2 of Ticket #13491


Ignore:
Timestamp:
Feb 21, 2013, 6:20:04 AM (7 years ago)
Author:
jaubourg
Comment:

Replying to anonymous:

Additionally, your bug submission system failed to accurately reproduce what I typed. It should have saved the field value verbatim to the database, then on production of HTML output, escaped ampersands, less-than signs, and wrapped it in a PRE element. Instead it tried to do all kinds of fancy reformatting, resulting in a colossal mess. Congratulations.

I guess you missed the WikiFormatting link. Congratulations.

I fixed your post for you.

The stackoverflow question you reference has nothing to do with X-Requested-With. It's just someone foolishly trying to bypass the same origin barrier by overriding the Origin header (which is impossible and pointless as is clearly stated in the selected answer).

jQuery always sent the X-Requested-With header for same-origin request (oldest version I could check this in is 1.1.2). It is completely harmless, as it will be ignored server-side unless some code specifically checks for it, and only costs 31 bytes. It won't go for backward compatibility purpose (because server-side code may rely on it).

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #13491

    • Property Status changed from new to closed
    • Property Resolution changed from to notabug
  • Ticket #13491 – Description

    initial v2  
    77It instead sends a header with an empty value.
    88
    9 
    109The code at fault is:
    1110
     11{{{#!js
    1212// X-Requested-With header
    1313// For cross-domain requests, seeing as conditions for a preflight are
     
    1717if(!s.crossDomain && !headers["X-Requested-With"])
    1818  headers["X-Requested-With"] = "XMLHttpRequest";
     19}}}
    1920
    2021which is immediately followed by
    2122
     23{{{#!js
    2224for(i in headers)
    2325  xhr.setRequestHeader(i, headers[i]);
    2426xhr.send();
     27}}}
    2528
    2629This means there is NO WAY to suppress the header from being sent on same-origin requests.
     
    2932I would like to request one or two of these three changes which would allow this:
    3033
    31 1) some flag that can be set to true in .ajaxSetup(), default to send (i.e. no change to current behaviour by default):
     341. some flag that can be set to true in .ajaxSetup(), default to send (i.e. no change to current behaviour by default):
    3235
     36{{{#!js
    3337if(!s.crossDomain && !headers["X-Requested-With"] && !s.suppressRequestedWithHeader)
    3438  headers["X-Requested-With"] = "XMLHttpRequest";
     39}}}
    3540
    36 2) some flag that can be set to true in .ajaxSetup(), default to not send (i.e. reduces unnecessary internet traffic):
     412. some flag that can be set to true in .ajaxSetup(), default to not send (i.e. reduces unnecessary internet traffic):
    3742
     43{{{#!js
    3844if(!s.crossDomain && !headers["X-Requested-With"] && s.sendRequestedWithHeader)
    3945  headers["X-Requested-With"] = "XMLHttpRequest";
     46}}}
    4047
    41 3) [not exclusive with 1 or 2] Validate that headers set have non-empty values:
     483. [not exclusive with 1 or 2] Validate that headers set have non-empty values:
    4249
     50{{{#!js
    4351for(i in headers)
    4452  if(headers[i] != '')
    4553    xhr.setRequestHeader(i, headers[i]);
    4654xhr.send();
     55}}}
    4756
    48 This will allow jqXHR.setRequestHeader('X-Requested-With','') to suppress the header (rather than use a boolean).
     57This will allow `jqXHR.setRequestHeader('X-Requested-With','')` to suppress the header (rather than use a boolean).
    4958
    5059I would like #2 and #3 but I'd understand if you went with #1 and #3. Only doing #1 would be the most conservative and least helpful (barring of course, not fixing this bug!).