Sending credentials with cross-domain posts?

Question

According to Requests with credentials, Firefox will only send credentials along with cross-domain posts if

invocation.withCredentials = "true";

is set… But it doesn't seem like jQuery's Ajax API provides any mechanism for this.

Is there something I've missed? Is there some other way I can do it?

score 181 · Accepted Answer · answered Aug 25 '11 at 12:38

181

Functionality is supposed to be broken in jQuery 1.5.

Since jQuery 1.5.1 you should use xhrFields param.

$.ajaxSetup({
    type: "POST",
    data: {},
    dataType: 'json',
    xhrFields: {
       withCredentials: true
    },
    crossDomain: true
});

Docs: http://api.jquery.com/jQuery.ajax/

Reported bug: http://bugs.jquery.com/ticket/8146

answered Aug 25 '11 at 12:38

Kangur

7,823
3
30
32

2

Now I can send cookie to subdomain :) Thank you! – Radek Oct 09 '12 at 15:33
7

Is this supposed to work for cross (non-subdomain) ajax requests as well? – streetlight Apr 02 '13 at 12:41
I'm still getting prompted for credentials – John Grabanski Jan 29 '20 at 23:36
@JohnGrabanski Did you fix your issue? – Selman Apr 20 '20 at 20:00
I'm confused, where do you add the actual credentials? – garek007 Mar 25 '21 at 21:34
@garek007 they come in cookies, auth headers, or via other means. – Kangur Jun 05 '21 at 20:40

score 41 · Answer 2 · edited Mar 14 '17 at 13:22

41

You can use the beforeSend callback to set additional parameters (The XMLHTTPRequest object is passed to it as its only parameter).

Just so you know, this type of cross-domain request will not work in a normal site scenario and not with any other browser. I don't even know what security limitations FF 3.5 imposes as well, just so you don't beat your head against the wall for nothing:

$.ajax({
    url: 'http://bar.other',
    data: { whatever:'cool' },
    type: 'GET',
    beforeSend: function(xhr){
       xhr.withCredentials = true;
    }
});

One more thing to beware of, is that jQuery is setup to normalize browser differences. You may find that further limitations are imposed by the jQuery library that prohibit this type of functionality.

edited Mar 14 '17 at 13:22

Kerem Baydoğan

10,475
1
43
50

answered Jan 13 '10 at 04:19

Doug Neiner

65,509
13
109
118

2

According to http://api.jquery.com/jQuery.post/ it should be type: "GET" and not method: 'GET' I tripped over it when using your example – Xosofox Sep 12 '12 at 09:46
1

@Xosofox I know this is an old comment, but as of jQuery 1.9, `method: 'GET'` is supported. http://api.jquery.com/jquery.ajax/ – Brad Jun 11 '15 at 23:16
2

Note that this no longer works in jQuery 3+, because (a) the api to this function has changed, and (b) it no longer has access to the XHR object, which is created after this function runs. Instead, you should use xhrFields. – Jacob Brazeal Nov 05 '19 at 15:47

chim · Answer 3 · 2017-11-17T10:15:04.263

In jQuery 3 and perhaps earlier versions, the following simpler config also works for individual requests:

$.ajax(
        'https://foo.bar.com,
        {
            dataType: 'json',
            xhrFields: {
                withCredentials: true
            },
            success: successFunc
        }
    );

The full error I was getting in Firefox Dev Tools -> Network tab (in the Security tab for an individual request) was:

An error occurred during a connection to foo.bar.com.SSL peer was unable to negotiate an acceptable set of security parameters.Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT

Sending credentials with cross-domain posts?

3 Answers3

Linked