-
Notifications
You must be signed in to change notification settings - Fork 22.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ff111 fetch authorization cross origin #25127
Merged
Rumyra
merged 6 commits into
mdn:main
from
hamishwillee:ff111_fetch_authorization_cross_origin
Mar 14, 2023
Merged
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
95d64e2
Authorization header stripped from fetch() cross origin redirects
hamishwillee ba8f1a8
improve the text a bit
hamishwillee d4a08a9
FF111 release note about fetch cross-origin redirects
hamishwillee f2920ae
Relnote. This also affects XMLHttpRequest and the HTTP channel
hamishwillee 03f0675
XMLHttpRequest.setRequestHeader() - add note about header being stripped
hamishwillee 7053114
Add note to Authorization header
hamishwillee File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,26 +7,20 @@ browser-compat: api.XMLHttpRequest.setRequestHeader | |
|
||
{{APIRef('XMLHttpRequest')}} | ||
|
||
The {{domxref("XMLHttpRequest")}} method | ||
**`setRequestHeader()`** sets the value of an HTTP request | ||
header. When using `setRequestHeader()`, you must call it after calling | ||
{{domxref("XMLHttpRequest.open", "open()")}}, but before calling | ||
{{domxref("XMLHttpRequest.send", "send()")}}. If this method is called several times | ||
with the same header, the values are merged into one single request header. | ||
The {{domxref("XMLHttpRequest")}} method **`setRequestHeader()`** sets the value of an HTTP request header. | ||
When using `setRequestHeader()`, you must call it after calling {{domxref("XMLHttpRequest.open", "open()")}}, but before calling {{domxref("XMLHttpRequest.send", "send()")}}. | ||
If this method is called several times with the same header, the values are merged into one single request header. | ||
|
||
Each time you call `setRequestHeader()` after the first time you call it, | ||
the specified text is appended to the end of the existing header's content. | ||
Each time you call `setRequestHeader()` after the first time you call it, the specified text is appended to the end of the existing header's content. | ||
|
||
If no {{HTTPHeader("Accept")}} header has been set using this, an `Accept` | ||
header with the type `"*/*"` is sent with the request when | ||
{{domxref("XMLHttpRequest.send", "send()")}} is called. | ||
If no {{HTTPHeader("Accept")}} header has been set using this, an `Accept` header with the type `"*/*"` is sent with the request when {{domxref("XMLHttpRequest.send", "send()")}} is called. | ||
|
||
For security reasons, there are several {{Glossary("Forbidden_header_name", "forbidden header names")}} whose values are controlled by the user agent. Any attempt to set a value for one of those headers from frontend JavaScript code will be ignored without warning or error. | ||
|
||
> **Note:** For your custom fields, you may encounter a "**not | ||
> allowed by Access-Control-Allow-Headers in preflight response**" exception | ||
> when you send requests across domains. In this situation, you need to set up the | ||
> {{HTTPHeader("Access-Control-Allow-Headers")}} in your response header at server side. | ||
In addition, the [`Authorization`](/en-US/docs/Web/HTTP/Headers/Authorization) HTTP header may be added to a request, but will be removed if the request is redirected cross-origin. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. FYI, this is the only new content here - the rest is layout. All it does is note that if the authorization header is added it will be stripped. |
||
|
||
> **Note:** For your custom fields, you may encounter a "**not allowed by Access-Control-Allow-Headers in preflight response**" exception when you send requests across domains. | ||
> In this situation, you need to set up the {{HTTPHeader("Access-Control-Allow-Headers")}} in your response header at server side. | ||
|
||
## Syntax | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI this is part of the same work as the stuff down in APIs for
fetch()
. But it is kind of separate in that it is at the HTTP layer in code, and this is where you might look for it.