How to make XMLHttpRequest cross-domain withCredentials, HTTP Authorization (CORS)?

by

I’ve written an article with a complete CORS setup.

I found several issues that can result in this problem:

  1. The Access-Control-Allow-Origin cannot be a wildcard if credentials are being used. It’s easiest just to copy the Origin header of the request to this field. It’s entirely unclear why the standard would disallow a wildcard.
  2. Firefox caches the Access-Control results even if you clear the cache (perhaps for the session). Restarting forced it to do a new OPTIONS request. To aid in debugging I added the header Access-Control-Max-Age: 1
  3. The username/password of the open command is apparently not usable as the credentials. You must add an Authorization header yourself. xhr.setRequestHeader( 'Authorization', 'Basic ' + btoa( user + ':' + pass ) )

Overall the withCredentials system is rather braindead. It’s easier to simply write a server that accepts the authorization as part of the body of the request.

More Related Contents:

  1. Access-Control-Allow-Origin Multiple Origin Domains?
  2. Why is an OPTIONS request sent and can I disable it?
  3. CORS with POSTMAN
  4. When do browsers send the Origin header? When do browsers set the origin to null?
  5. CORS Access-Control-Allow-Headers wildcard being ignored?
  6. CORS request with Preflight and redirect: disallowed. Workarounds?
  7. What are proper status codes for CORS preflight requests?
  8. Setting HTTP headers
  9. Angular2 OPTIONS method sent when asking for http.GET [duplicate]
  10. What is the boundary parameter in an HTTP multi-part (POST) Request?
  11. Cross Origin Resource Sharing with Credentials
  12. What is the difference between a URI, a URL and a URN?
  13. Are the PUT, DELETE, HEAD, etc methods available in most web browsers?
  14. Is an entity body allowed for an HTTP DELETE request?
  15. Are HTTP headers case-sensitive?
  16. How to display the Authentication Challenge in UIWebView?
  17. Why am I seeing an “origin is not allowed by Access-Control-Allow-Origin” error here? [duplicate]
  18. Catching an Access-Control-Allow-Origin error in JavaScript
  19. How to make an HTTP request from SSIS?
  20. server socket receives 2 http requests when I send from chrome and receives one when I send from firefox
  21. Returning http 200 OK with error within response body
  22. HTTP status code 0 – Error Domain=NSURLErrorDomain?
  23. What is q=0.5 in Accept* HTTP headers?
  24. Basic static file server in NodeJS
  25. Orchestrating microservices
  26. Angular2 / Error: Collection not found
  27. Add subdomain to localhost URL
  28. Are JSON web services vulnerable to CSRF attacks?
  29. Service Oriented Architecture – AMQP or HTTP
  30. How to set up CORS or OPTIONS for Rocket.rs

Leave a Comment