Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to disable 'withcredentials' in HTTP header with node.js and Request package?

Using node.js and the Request package from the browser (via browserify), I am using CORS to do a HTTP GET request on a separate domain.

On the server, when I set 'Access-Control-Allow-Origin' to the wildcard '*', I get the following error on the client:

XMLHttpRequest cannot load .... A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin '...' is therefore not allowed access.

The HTTP request header looks like this:

Accept:*/*
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8,ja;q=0.6
Access-Control-Request-Headers:withcredentials
Access-Control-Request-Method:GET
Cache-Control:no-cache
Connection:keep-alive
Host:localhost:3000
Origin:http://localhost:9966
Pragma:no-cache
Referer:http://localhost:9966/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36

So clearly the problem is Access-Control-Request-Headers:withcredentials in the header, right?

To be able to remove this, I need to set the 'withcredentials' property of the 'XMLHttpRequest' object to 'false'. However, I cannot figure out where node.js or the Request package are creating the 'XMLHttpRequest' object, and how I can even access this.

Thanks.

like image 437
smg Avatar asked Jun 26 '14 14:06

smg


1 Answers

After some investigation, I discovered that the withCredentials setting can be passed in via the options parameter object:

var req = http.request({
    withCredentials: false
}, function(res) {
    //...
});

req.end();

If undefined, the default setting is true.

Reference from the http-browserify/lib/request.js source:

if (typeof params.withCredentials === 'undefined') {
    params.withCredentials = true;
}

try { xhr.withCredentials = params.withCredentials }
catch (e) {}
like image 76
smg Avatar answered Oct 02 '22 14:10

smg