Skip to main content

Bug Tracker

Side navigation

#4858 closed bug (duplicate)

Opened July 07, 2009 05:41AM UTC

Closed November 25, 2009 06:29PM UTC

Access control behaves differently with custom headers set - and jQ sets a custom header

Reported by: kesor Owned by:
Priority: major Milestone: 1.4
Component: ajax Version: 1.3.2
Keywords: Cc:
Blocked by: Blocking:
Description

According to the specs for Access-Control, using a 'POST' to a cross-domain should not trigger an OPTIONS pre-flight. Unless there are non-standard headers that is.

http://www.w3.org/TR/2007/WD-access-control-20071126/

https://developer.mozilla.org/en/HTTP_access_control

These two lines in jquery.js set a custom header, and cause a preflight OPTIONS request:

Set header so the called script knows that it's an XMLHttpRequest

xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");

Would be great if it could be either disabled by default for cross-domain requests, or removed completely, or made optional with a provided switch to toggle it on and off.

Same bug in Dojo: http:trac.dojotoolkit.org/ticket/9486

Attachments (0)
Change History (1)

Changed November 25, 2009 06:29PM UTC by john comment:1

resolution: → duplicate
status: newclosed

Duplicate of #4601.