Skip to content
Permalink
Browse files
The script prefilter now forces cross-domain requests type to GET.
  • Loading branch information
@jaubourg
jaubourg committed Jan 16, 2011
1 parent 914aa3d commit f74b844
Showing 1 changed file with 1 addition and 0 deletions.
1 src/ajax/script.js
View file
@@ -23,6 +23,7 @@ jQuery.ajaxSetup({
}

if ( s.crossDomain ) {
s.type = "GET";
s.global = false;
}

4 comments on commit f74b844

@leandro
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jaubourg Hello. I'm facing an issue because of this addition. This commit apparently doesn't have any comment that explains why the line is added. Could you explain why it's needed? Is it because some sort security issue? Otherwise I'll need to patch it inside my production app to avoid some issues it's facing.

@leandro
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I've double checked CORS' rules, there is the preflight thing, but it's actually something that the browser should care of, not the JS library that performs the AJAX request:

For AJAX and HTTP request methods that can modify data (usually HTTP methods other than GET, or for POST usage with certain MIME types), the specification mandates that browsers "preflight" the request, soliciting supported methods from the server with an HTTP OPTIONS request header, and then, upon "approval" from the server, sending the actual request with the actual HTTP request method.

From https://en.wikipedia.org/wiki/Cross-origin_resource_sharing#How_CORS_works

@dmethvin
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello. I'm facing an issue because of this addition.

@leandro If you can provide more information about the problem as it exists in the code, such as a test case showing the problem, open a new issue on our issue tracker.

@leandro
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dmethvin I don't think it's a bug, because it's clear it's a feature implemented by the committed line above. The issue is that my script is sending data via cross-domain POST (just different subdomains, actually), but then it gets automatically changed to GET because of that line and that breaks my page. I really need to send the data via POST and process the response as 'script'.

Please sign in to comment.