Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

X-Requested-With request header is not set with XMLHttpRequest #17

Closed
hannesvdvreken opened this issue Oct 18, 2014 · 4 comments

Comments

Projects
None yet
4 participants
@hannesvdvreken
Copy link

commented Oct 18, 2014

Some back-ends check on X-Requested-With header to see if it is an ajax request. With fetch, that header isn't set.

@josh

This comment has been minimized.

Copy link
Member

commented Oct 18, 2014

X-Requested-With is just a header convention, its not part of any XHR or the Fetch spec.

@dgraham

This comment has been minimized.

Copy link
Member

commented Oct 18, 2014

The XMLHttpRequest used by the fetch polyfill is an implementation detail. When browsers start shipping window.fetch natively, the X-Requested-With header won't be sent along with the request. So it would be an error to rely on that header being sent from the polyfill.

Here's a simple fetch wrapper we're using at GitHub that provides some of the missing behavior from Rails' integration with jQuery.

https://gist.github.com/dgraham/92e4c45da3707a3fe789

In practice, sites are going to need a small wrapper like this to work with window.fetch as easily as jQuery's $.ajax.

/cc @annevk This wrapper might or might not inform the fetch spec.

@dgraham dgraham closed this Oct 18, 2014

@hannesvdvreken

This comment has been minimized.

Copy link
Author

commented Oct 18, 2014

👍 Thanks for the information!

@annevk

This comment has been minimized.

Copy link

commented Oct 19, 2014

@dgraham that wrapper seems to assume a document environment. The CSRF stuff would break in a worker environment.

@dgraham if you want standardized CSRF tokens, perhaps email whatwg@whatwg.org or public-webappsec@w3.org (need to subscribe first for the former). Might be worth doing.

davidbgk referenced this issue in betagouv/zam Mar 12, 2019

davidbgk added a commit to betagouv/zam that referenced this issue Mar 13, 2019

davidbgk added a commit to betagouv/zam that referenced this issue Mar 13, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.