Bug Tracker

Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#15177 closed bug (cantfix)

preflight OPTIONS not sent when credentials are given as arguments to xhr.open()

Reported by: oberhamsi Owned by:
Priority: undecided Milestone: None
Component: ajax Version: 2.1.1
Keywords: cors Cc:
Blocked by: Blocking:

Description

Tested with jquery master from github and Firefox 30 and Chrome 35 beta.

The preflight OPTIONS request is not sent when credentials are specified as arguments to XMLHttpRequest.open().

Manually adding the "Authorization" header works in both browsers; i.e.: the OPTIONS request is sent before the actual response.

The point of the examples below is to demonstrate that the required OPTIONS requests is sent by the browsers in case 1) but not in case 2). Both requests fail to actually load the content because the *server's response* to the OPTIONS request is wrong.

1) OPTIONS request is correctly sent

    var url = "https://test-cors.appspot.com/";
    var username = "foo";
    var password = "bar";

    var xhr = new XMLHttpRequest();
    xhr.open('GET', url, true);
    xhr.withCredentials = true;
    xhr.setRequestHeader("Authorization", "Basic " + btoa(username + ":" + password));
    xhr.send(); 

2) OPTIONS request is *not* sent

   var url = "https://test-cors.appspot.com/";
    var username = "foo";
    var password = "bar";

    var xhr = new XMLHttpRequest();
    xhr.open('GET', url, true, username, password);
    xhr.withCredentials = true;
    xhr.send(); 

Change History (5)

comment:2 Changed 9 years ago by markelog

Resolution: cantfix
Status: newclosed

See discussion in the pull request

comment:3 Changed 9 years ago by oberhamsi

found a public server to make the examples work:

1) per spec: both, the preflight OPTIONS (without credentials) and the normal request (with credentials) are sent: http://jsfiddle.net/c5wS8/

2) preflight OPTIONS not sent resulting in a basicauth popup in chrome: http://jsfiddle.net/kukq8/

if this is intended behaviour, i would file a documentation bug regarding this ;)

comment:4 Changed 9 years ago by oberhamsi

per pullrequest discussion it now seems this is a browser bug.

could you guys please re-open this bug or the other one with the same problem: http://bugs.jquery.com/ticket/12698

or is this really not to be fixed?

comment:5 Changed 9 years ago by dmethvin

Do you have a proposal on how to work around this browser bug?

Note: See TracTickets for help on using tickets.