#8423 closed bug (fixed)
Cross origin AJAX request always preflighted
| Reported by: | Arjen | Owned by: | jaubourg |
|---|---|---|---|
| Priority: | high | Milestone: | 1.5.2 |
| Component: | ajax | Version: | 1.5.1 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
By setting a custom header, X-Requested-With, all cross-domain ajax request will be pre-flighted and need an extra OPTIONS http request.
http://www.w3.org/TR/cors/#cross-origin-request
"If the force preflight flag is false and the following conditions are all true, follow the simple cross-origin request algorithm:
- The request method is a simple method.
- Each of the custom request headers is a simple header or custom request headers is empty."
So GET, HEAD and POST calls with 'simple' headers (http://www.w3.org/TR/cors/#simple-header) don't need preflight.
The are some restrictions on the allowed values for the Content-Type header, only application/x-www-form-urlencoded, multipart/form-data, or text/plain are considered 'safe' (https://developer.mozilla.org/en/HTTP_access_control#Preflighted_requests) This is also mentioned in de WD: http://www.w3.org/TR/cors/#design-decision-faq
Suggested fix:
- Don't set a custom X-Requested-With header at all. They don't provide any extra security at all.
- Only set the header when request must be preflighted, i.e. has custom headers, type is not one of GET, POST or HEAD or Content-Type is not 'safe'.
Change History (2)
comment:1 Changed 10 years ago by
| Component: | unfiled → ajax |
|---|---|
| Milestone: | 1.next → 1.5.2 |
| Owner: | set to jaubourg |
| Priority: | undecided → high |
| Status: | new → assigned |
comment:2 Changed 10 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixes #8423. Never set X-Requested-With header automagically for cross-domain requests.