7

I am trying to create a cross origin GET request using jQuery.ajax(). My server is configured to accept such requests. Chrome will not allow me to send the headers:

Access-Control-Request-Method

Access-Control-Request-Headers

Refused to set unsafe header "Access-Control-Request-Method" <- error message

Here is my ajax request:

$.ajax({
    type:"GET",
    headers: {
        'Access-Control-Request-Method' : 'GET',
        'Access-Control-Request-Headers': 'X-Custom'
    },      
    url: "http://localhost:3000",       
    success: function(msg) {
        console.log(msg);
    }
});

I was expecting these headers to cause the browser to create a pre-flight request (OPTIONS) to negotiate with the server. I know that I have accomplished this before. Can someone tell me what I am forgetting?

Thanks a lot!

Nick
  • 19,198
  • 51
  • 185
  • 312
  • 1
    set `Access-Control-Expose-Headers` to whatever, like, `x-json` – Ohgodwhy Jul 27 '13 at 19:36
  • What? That is not a header I want to send. Can you elaborate please? – Nick Jul 27 '13 at 19:41
  • 2
    It's a workaround. You see, a preflight request is established when you want to make a cross-domain request. The preflight will check the server for what `OPTIONS` are available, and return headers as such. Until the preflight has been completed, the request will not resolve in webkite based browsers to avoid cross site forgery. [You can read more about it here](https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=HTTP_access_control) – Ohgodwhy Jul 27 '13 at 19:45
  • I know what CORS is and how preflighted requests work. I don't understand why I would want to send Access-Control-Expose-Headers header. Has there been a patch to Webkit to not allow the standard CORS headers? – Nick Jul 27 '13 at 19:54
  • Ahhh.. I see. Nevermind my above statement. Apparently I do have more to learn. Please excuse me. Ill try that header. – Nick Jul 27 '13 at 19:55
  • Thank you and sorry for my hasty comment. Your help is appreciated. – Nick Jul 27 '13 at 19:57
  • Add this as an answer.. so I can give you credit for it. – Nick Jul 27 '13 at 19:58
  • Hey ! I want to be able to set the "Connection" header to "keep-alive" and "Keep-Alive" header to "600". Can you let me how to set this header on Webkit. I keep getting "Refused to set unsafe header Keep-Alive" – BetRob Mar 06 '14 at 08:54
  • 1
    @Nick - can you update your code with what you ended up setting? – Kerry Jones Jun 18 '14 at 00:14

1 Answers1

1

A PREFLIGHT options request automatically takes place on a cross domain request IF the request is not a simple request. A simple request is typically a GET request. Thus if you make a cross domain GET request there will NOT be a preflight OPTIONS request.

However, if you make a cross domain POST request, the browser will, without you instructing it to do so, make a preflight OPTIONS request first. The purpose of this request is to see whether the server permits cross-domain POST requests from your client's domain / IP.

If your server has the correct "Access-Control" headers in the response, that say, yes this client is permitted to make a cross domain POST request, then the browser will proceed to make the POST request. If your server says NO (because the "Access-Control" headers on your server are wrong) then the browser will respect that and will NOT make the second POST request.

See https://www.html5rocks.com/en/tutorials/cors/#toc-handling-a-not-so-simple-request for more info.

Also, you must make sure your server is set to handle incoming OPTIONS requests.

danday74
  • 52,471
  • 49
  • 232
  • 283