Adding X-CSRF-Token header globally to all instances of XMLHttpRequest();

by

I’d recommend to intercept calls to the send method:

(function() {
    var send = XMLHttpRequest.prototype.send,
        token = $('meta[name=csrf-token]').attr('content');
    XMLHttpRequest.prototype.send = function(data) {
        this.setRequestHeader('X-CSRF-Token', token);
        return send.apply(this, arguments);
    };
}());

This won’t add the header at instantiation time, but right before the request is sent. You can intercept calls to new XMLHttpRequest() as well, but that won’t be helpful as you need to wait with adding the header until open was called.

You might also want to include a test for the target URL of the request, so that you only add the header when your own api is called. Not doing so might leak the token elsewhere, or might even break cross-domain CORS calls that don’t allow this header.

More Related Contents:

  1. Why does Google prepend while(1); to their JSON responses?
  2. Send POST data using XMLHttpRequest
  3. Origin is not allowed by Access-Control-Allow-Origin
  4. Add a “hook” to all AJAX requests on a page
  5. What is the cleanest way to get the progress of JQuery ajax request?
  6. jQuery has deprecated synchronous XMLHTTPRequest
  7. What’s the best way to retry an AJAX request on failure using jQuery?
  8. XMLHttpRequest status 0 (responseText is empty)
  9. Why am I seeing an “origin is not allowed by Access-Control-Allow-Origin” error here? [duplicate]
  10. Is onload equal to readyState==4 in XMLHttpRequest?
  11. How to upload a file using jQuery.ajax and FormData
  12. How can I send the “&” (ampersand) character via AJAX?
  13. What do the different readystates in XMLHttpRequest mean, and how can I use them?
  14. Empty responseText from XMLHttpRequest
  15. Cross-site AJAX requests
  16. WebKit “Refused to set unsafe header ‘content-length'”
  17. Intercept fetch() API requests and responses in JavaScript
  18. XMLHttpRequest to Post HTML Form
  19. Javascript: Overriding XMLHttpRequest.open()
  20. Get HTML code using JavaScript with a URL
  21. Is it possible for XHR HEAD requests to not follow redirects (301 302)
  22. CSRF protection with CORS Origin header vs. CSRF token
  23. XmlHttpRequest onprogress interval
  24. Overriding XMLHttpRequest.open()
  25. XMLHttpRequest 206 Partial Content
  26. Ajax – 500 Internal Server Error
  27. Microsoft Edge blocked cross-domain requests sent to IPs in same private network CIDR
  28. Reuse XMLHttpRequest object or create a new one?
  29. Differentiating Between an AJAX Call / Browser Request
  30. XmlHttpRequest.responseText while loading (readyState==3) in Chrome

Leave a Comment