Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: xhr.withCredentials is initially false #47

Closed
wants to merge 1 commit into from
Closed

fix: xhr.withCredentials is initially false #47

wants to merge 1 commit into from

Conversation

feltnerm
Copy link

According to the XMLHttpRequest2 spec,
xhr.withCredentials should be initially false. http-browserify sets this
flag to true by default which disobeys the spec. This leads to browser errors when
making CORS requests to domains that have wildcards in their
Access-Control-Allow-Origin header.

http-browserify should attempt to follow the spec by default. In this case,
that means setting withCredentails to false initially, and then allowing
the user to override that in the passing in params.

Maybe it is possible to auto-detect when user credentials
are being sent and then set the withCredentials flag from there.

Somewhat related to #35 (the committer there expressed concern about
withCredentials being true when unintialzed as well).

@feltnerm
fix: xhr.withCredentials is initially false
e498db8 
According to the [XMLHttpRequest2 spec](http://www.w3.org/TR/XMLHttpRequest2/#the-withcredentials-attribute),
`xhr.withCredentials` should be initially `false`. http-browserify sets this
flag to `true` by default which disobeys the spec. This leads to browser errors when
making CORS requests to domains that have wildcards in their
Access-Control-Allow-Origin header.

http-browserify should attempt to follow the spec by default. In this case,
that means setting `withCredentails` to `false` initially, and then allowing
the user to override that in the passing in `params`.

Maybe it is possible to auto-detect when [user credentials](http://www.w3.org/TR/XMLHttpRequest2/#user-credentials)
are being sent and then set the `withCredentials` flag from there.

Somewhat related to #35 (the committer there expressed concern about
`withCredentials` being `true` when unintialzed as well).
@gsf
Copy link

gsf commented Apr 3, 2014

I just ran into this as well. I was glad the withCredentials option was available, but agree it should default to false.

@feltnerm
Copy link
Author

feltnerm commented Apr 9, 2014

I just ran into this as well. I was glad the withCredentials option was available, but agree it should default to false.

Yeah, it was annoying that I had a dependency that was using the http module but was not specifying the withCredentials option resulting in CORS errors. If withCredentials followed the spec, I would not have to modify/fork dependencies to work with http in the browser.

@agrueneberg
Copy link

I ran into this as well. Please merge. xhr.withCredentials definitely shouldn't be true by default.

@imhoffd
Copy link

imhoffd commented Apr 29, 2014

This is not good. Please merge.

gsf pushed a commit to gsf/http-browserify that referenced this pull request Jun 23, 2014
No default withCredentials. Updated version of browserify#47
31e9c86
This was referenced Jun 26, 2014
Closed
Merged
@feltnerm feltnerm mentioned this pull request Oct 30, 2014
Closed
@lukehorvat lukehorvat mentioned this pull request Apr 1, 2015
Closed
@feltnerm
Copy link
Author

feltnerm commented Jul 2, 2015

similar to #90

@feltnerm feltnerm closed this by deleting the head repository Mar 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@feltnerm @gsf @agrueneberg @imhoffd