Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Non-standard X-Requested-With should be opt-in not opt-out #3273

Closed
derekm opened this issue Jan 30, 2018 · 5 comments · Fixed by #3442
Closed

Non-standard X-Requested-With should be opt-in not opt-out #3273

derekm opened this issue Jan 30, 2018 · 5 comments · Fixed by #3442

Comments

@derekm
Copy link

derekm commented Jan 30, 2018

X-Requested-With is a non-standard header that isn't called for by the XMLHttpRequest living standard.

This header should be presented only on an opt-in basis. Ajax requests should not come with this header by default.
@derekm
Copy link
Author

derekm commented Jan 31, 2018

Here is where it was decided to remove this erroneous header from Angular back in 2012: angular/angular.js#1004

@derekm
Copy link
Author

derekm commented Jan 31, 2018

A more recent take on this issue in Angular's issues: angular/angular.js#11008 (comment)

benlesh added a commit to benlesh/rxjs that referenced this issue Mar 16, 2018
@benlesh
feat(ajax): default to opting into CORS
1e30448 
closes ReactiveX#3273
@benlesh benlesh mentioned this issue Mar 16, 2018
Merged
benlesh added a commit that referenced this issue Mar 16, 2018
@benlesh
feat(ajax): default to opting into CORS (#3442)
aa3bf57 
BREAKING CHANGE: will no longer execute a CORS request by default, you must opt-in with the `crossDomain` flag in the config.

closes #3273
@derekm
Copy link
Author

derekm commented Mar 16, 2018

@benlesh -- This could be a breaking change for some people that are using the X-Requested-With anti-pattern in their server-side code... So this change should be called out very explicitly in the release notes. Thanks for the fix!

@derekm
Copy link
Author

derekm commented Mar 16, 2018

@benlesh -- Isn't the "BREAKING CHANGE" notice in your second commit stating things backwards? It will now execute a CORS request by default, it will no longer execute an X-Requested-With request by default.

This was referenced Mar 19, 2018
Closed
Closed
@lock
Copy link

lock bot commented Jun 5, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Jun 5, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@derekm