You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have recently introduced a WAF that is flagging a lot of signalR requests due to them having the Content-Type header on GET requests.
The majority of issues seem to be coming from the /signalr/negotiate endpoint.
Since these are GET requests that do not have a body, why do they need Content-Type headers?
Expected behavior
GET requests with no body do not have a Content-Type header.
Actual behavior
GET requests with no body have a Content-Type header.
Steps to reproduce
Observe calls to the negotate endpoint via the browser network tab / Fiddler and inspect the request.
I've done some digging into the code and I'm happy to submit a PR that I think will fix this, but I don't know why they are there in the first place. Any insight would be appreciated.
The text was updated successfully, but these errors were encountered:
I don't believe there's a specific reason we have a Content-Type header on our GET /signalr/negotiate request, so a PR would probably be welcome. @davidfowl and @halter73 might have some history here.
I assume we're talking about the JS client, right?
I pretty sure this was just an oversight made when fixing #947 back in 2013 so that a user's call to $.ajaxSetup won't change the Content-Type of SignalR POST requests that do need to set the header. It looks like the negotiate request got unnecessarily caught up in this change.
We have recently introduced a WAF that is flagging a lot of signalR requests due to them having the
Content-Type
header on GET requests.The majority of issues seem to be coming from the /signalr/negotiate endpoint.
Since these are GET requests that do not have a body, why do they need Content-Type headers?
Expected behavior
GET requests with no body do not have a Content-Type header.
Actual behavior
GET requests with no body have a Content-Type header.
Steps to reproduce
Observe calls to the negotate endpoint via the browser network tab / Fiddler and inspect the request.
I've done some digging into the code and I'm happy to submit a PR that I think will fix this, but I don't know why they are there in the first place. Any insight would be appreciated.
The text was updated successfully, but these errors were encountered: