Cross origin AJAX request always preflighted
|Reported by:||Arjen||Owned by:||jaubourg|
By setting a custom header, X-Requested-With, all cross-domain ajax request will be pre-flighted and need an extra OPTIONS http request.
"If the force preflight flag is false and the following conditions are all true, follow the simple cross-origin request algorithm:
- The request method is a simple method.
- Each of the custom request headers is a simple header or custom request headers is empty."
So GET, HEAD and POST calls with 'simple' headers (http://www.w3.org/TR/cors/#simple-header) don't need preflight.
The are some restrictions on the allowed values for the Content-Type header, only application/x-www-form-urlencoded, multipart/form-data, or text/plain are considered 'safe' (https://developer.mozilla.org/en/HTTP_access_control#Preflighted_requests) This is also mentioned in de WD: http://www.w3.org/TR/cors/#design-decision-faq
- Don't set a custom X-Requested-With header at all. They don't provide any extra security at all.
- Only set the header when request must be preflighted, i.e. has custom headers, type is not one of GET, POST or HEAD or Content-Type is not 'safe'.