You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I recently encountered this issue when attempting to load a csv file on another domain by jSpreadsheet. The request to fetch the csv file failed even when the other server (say, GitHub Gist raw data) has Access-Control-Allow-Origin set to *.
A more careful look at the error log suggests that jSpreadsheet uses this library's AJAX module to load CSV file. However, on the following segment of code, a custom header of X-Requested-With is set. Further down the code, to avoid hitting a cache some other headers were also set, but that could be worked around without much effort so it is out of scope.
According to MDN, X-Requested-With is not part of the safelisted request headers (Accept, Accept-Language, Content-Language, Content-Type. ), thus this causes the request, despite being a simple GET, need a CORS preflight to complete. As the other website does not recognize the additional unsafe headers, the preflight failed and I failed to get the data from them.
I worked around this issue by manually create a XHR to obtain the data, then feed the data into a csv parser and into jSpreadsheet. However that just looks ugly when comparing to the alternative of specifying the csv's address on initialization of jSpreadsheet and get things done.
Now I wonder, is there any reasoning behind setting such custom header when doing any XHR request from the AJAX module of this library, such as not allowing anyone to use such library to access anything that is outside of their origin? Is there any method to not set such headers that are not safelisted when doing an AJAX request?
The text was updated successfully, but these errors were encountered:
I recently encountered this issue when attempting to load a csv file on another domain by jSpreadsheet. The request to fetch the csv file failed even when the other server (say, GitHub Gist raw data) has
Access-Control-Allow-Origin
set to*
.A more careful look at the error log suggests that jSpreadsheet uses this library's AJAX module to load CSV file. However, on the following segment of code, a custom header of
X-Requested-With
is set. Further down the code, to avoid hitting a cache some other headers were also set, but that could be worked around without much effort so it is out of scope.https://github.com/jsuites/jsuites/blob/master/src/ajax.js#L105
According to MDN,
X-Requested-With
is not part of the safelisted request headers (Accept, Accept-Language, Content-Language, Content-Type. ), thus this causes the request, despite being a simple GET, need a CORS preflight to complete. As the other website does not recognize the additional unsafe headers, the preflight failed and I failed to get the data from them.I worked around this issue by manually create a XHR to obtain the data, then feed the data into a csv parser and into jSpreadsheet. However that just looks ugly when comparing to the alternative of specifying the csv's address on initialization of jSpreadsheet and get things done.
Now I wonder, is there any reasoning behind setting such custom header when doing any XHR request from the AJAX module of this library, such as not allowing anyone to use such library to access anything that is outside of their origin? Is there any method to not set such headers that are not safelisted when doing an AJAX request?
The text was updated successfully, but these errors were encountered: