Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Request class: please, implement option to force simple cross-site requests to avoid preflights #2505

Closed
gajdusek opened this Issue · 2 comments

3 participants

@gajdusek

Hi,

Browser always sends preflight requests (OPTION) when doing cross-site requests because of X-Requested-With header added to the xhr. It would be nice to have an option to send simple cross-site requests.

I use following code implementing new 'simple' option, based on article http://kourge.net/node/131

@@ -5227,6 +5227,7 @@ var Request = this.Request = new Class({
                        'Accept': 'text/javascript, text/html, application/xml, text/xml, */*'
                },
                async: true,
+               simple: false,
                format: false,
                method: 'post',
                link: 'ignore',
@@ -5387,6 +5388,13 @@ var Request = this.Request = new Class({
                xhr.onreadystatechange = this.onStateChange.bind(this);

                Object.each(this.headers, function(value, key){
+                       if (this.options.simple) {
+                               if (!(
+                                       /^(accept|accept-language|content-language)$/i.test(key) ||
+                                       (/^content-type$/i.test(key) &&
+                                       /^(application\/x-www-form-urlencoded|multipart\/form-data|text\/plain)(;.+)?$/i.test(value))))
+                                       return;
+                       }
                        try {
                                xhr.setRequestHeader(key, value);
                        } catch (e){
@swhiteman

I see the need. Yet I don't like the idea of Request resolving conflicting arguments without an error. When the desire for 'simple' conflicts with custom 'header' options added over time there isn't a universal answer as to which should win. In my usage I might not care if the automatic x-requested-with is silently discarded, but I would definitely care if my custom header is discarded. So my business rule might be

if ( simple && no_user_custom_x_headers ) { send simple-compatible headers only } else { send all custom headers }

Maybe just changing the option name to something with a clear precedence ( options.forcesimple or options.attemptsimple ) would be better.

@ibolmo ibolmo added this to the 1.6 milestone
@ibolmo ibolmo added the enhancement label
@ibolmo
Owner

Why not just clear the headers prior to sending?

@ibolmo ibolmo closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.