Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


Request class: please, implement option to force simple cross-site requests to avoid preflights #2505

gajdusek opened this Issue · 2 comments

3 participants



Browser always sends preflight requests (OPTION) when doing cross-site requests because of X-Requested-With header added to the xhr. It would be nice to have an option to send simple cross-site requests.

I use following code implementing new 'simple' option, based on article

@@ -5227,6 +5227,7 @@ var Request = this.Request = new Class({
                        'Accept': 'text/javascript, text/html, application/xml, text/xml, */*'
                async: true,
+               simple: false,
                format: false,
                method: 'post',
                link: 'ignore',
@@ -5387,6 +5388,13 @@ var Request = this.Request = new Class({
                xhr.onreadystatechange = this.onStateChange.bind(this);

                Object.each(this.headers, function(value, key){
+                       if (this.options.simple) {
+                               if (!(
+                                       /^(accept|accept-language|content-language)$/i.test(key) ||
+                                       (/^content-type$/i.test(key) &&
+                                       /^(application\/x-www-form-urlencoded|multipart\/form-data|text\/plain)(;.+)?$/i.test(value))))
+                                       return;
+                       }
                        try {
                                xhr.setRequestHeader(key, value);
                        } catch (e){

I see the need. Yet I don't like the idea of Request resolving conflicting arguments without an error. When the desire for 'simple' conflicts with custom 'header' options added over time there isn't a universal answer as to which should win. In my usage I might not care if the automatic x-requested-with is silently discarded, but I would definitely care if my custom header is discarded. So my business rule might be

if ( simple && no_user_custom_x_headers ) { send simple-compatible headers only } else { send all custom headers }

Maybe just changing the option name to something with a clear precedence ( options.forcesimple or options.attemptsimple ) would be better.

@ibolmo ibolmo added this to the 1.6 milestone
@ibolmo ibolmo added the enhancement label

Why not just clear the headers prior to sending?

@ibolmo ibolmo closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.