Menu
I'm trying to do a CORS XHR post w/ credentials. It works great in Chrome, but not in Firefox. The cookies are not present in the pre-flight request headers, and so I'm seeing a 302. This works perfectly in Chrome, as cookies are in the pre-flight request headers and the subsequent POST goes through.
Why wouldn't this work in FF? What am I missing?
// assume url, boundEventHandler and uploadData are defined, as this definitely works in Chrome
var xhr = new XMLHttpRequest();
xhr.open("POST", url, true);
xhr.addEventListener ("readystatechange", boundEventHandler, false);
xhr.withCredentials = true; // FWIW, I've also tried the string 'true'
xhr.send(uploadData);
Any ideas? I see some posts that say I can proxy the request on the server side, but I'd prefer to get this working in accordance w/ the CORS spec.
Thanks!
765
Per spec at https://www.w3.org/TR/cors/#resource-preflight-requests the preflight request never includes cookies. Specifically, the spec says:
- Exclude user credentials.
and that links to https://www.w3.org/TR/cors/#user-credentials which says:
The term user credentials for the purposes of this specification means cookies, HTTP authentication, and client-side SSL (...).
That said, the code snippet you quote above shouldn't involve a preflight at all: there are no upload event listeners, the method is as simple method, and there are no author headers set. So if you're really seeing a preflight request, the first question is why that's happening. Do you have any extensions in Firefox that might be munging your XMLHttpRequest object?
104
Now Chromium(the 4th of July 2014) doesn't sent cookie with a preflight request. https://code.google.com/p/chromium/issues/detail?id=377541
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
