Opened 14 years ago
Closed 13 years ago
#4858 closed bug (duplicate)
Access control behaves differently with custom headers set - and jQ sets a custom header
Reported by: | kesor | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | 1.4 |
Component: | ajax | Version: | 1.3.2 |
Keywords: | Cc: | ||
Blocked by: | Blocking: |
Description
According to the specs for Access-Control, using a 'POST' to a cross-domain should not trigger an OPTIONS pre-flight. Unless there are non-standard headers that is.
http://www.w3.org/TR/2007/WD-access-control-20071126/ https://developer.mozilla.org/en/HTTP_access_control
These two lines in jquery.js set a custom header, and cause a preflight OPTIONS request:
Set header so the called script knows that it's an XMLHttpRequest xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
Would be great if it could be either disabled by default for cross-domain requests, or removed completely, or made optional with a provided switch to toggle it on and off.
Same bug in Dojo: http://trac.dojotoolkit.org/ticket/9486
Duplicate of #4601.