3

I am new to JavaScript. How can I add mode: no-cors to my XMLHttpRequest in JavaScript?

For example, to this code:

var xhr = new XMLHttpRequest();
xhr.open("POST", yourUrl, true);
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.send(JSON.stringify({
    value: value
}));
Yves M.
  • 29,855
  • 23
  • 108
  • 144
разия Утегенова
  • 43
  • 1
  • 1
  • 7
  • Does this answer your question? https://stackoverflow.com/questions/14667512/using-xmlhttprequest-without-cors-by-modifying-http-headers – Adil Bimzagh Aug 16 '21 at 10:05

1 Answers1

6

XMLHttpRequest does not support no-cors mode, only fetch does.

However, you are trying set a Content-Type of application/json which requires permission from CORS, so you can't use no-cors mode anyway.

If you used fetch and set no-cors mode then the instruction to set the Content-Type would be ignored.

Instead, configure yourUrl to grant permission, using CORS, to make the request with the JSON Content-Type.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Thank you, so as I use fetch, I dont need to set Content-Type? right? – разия Утегенова Aug 16 '21 at 10:42
  • 1
    you do if you want to send JSON in the request @разияУтегенова – Bravo Aug 16 '21 at 10:43
  • Isn't `Content-Type` one of the [`no-cors` safelisted headers](https://fetch.spec.whatwg.org/#no-cors-safelisted-request-header-name)? This is an area I don't know well, so I suspect I'm missing something. – T.J. Crowder Aug 16 '21 at 10:57
  • Ah, it is safelisted -- but with only limited values, and `application/json` isn't one of them. – T.J. Crowder Aug 16 '21 at 11:04
  • Actually, you can set `Content-Type` of `application/json` with mode `no-cors` - it sends content-type plain/text regardless as far as I can tell – Bravo Aug 16 '21 at 11:04
  • 1
    You got there before I could find the reference: https://fetch.spec.whatwg.org/#cors-safelisted-request-header – Quentin Aug 16 '21 at 11:05
  • 1
    @Bravo — If you give an instruction to set it to JSON and it ignores it and sends plain text, then it isn't setting it, is it? – Quentin Aug 16 '21 at 11:06
  • @Quentin - I said "as far as I can tell" - it strikes me as odd that `no-cors` request would block sending JSON - I may be doing something wrong - or, as you say, setting it is "ignored" – Bravo Aug 16 '21 at 11:31
  • @T.J.Crowder - I know too much about CORS (not everything of course, stupid JSON no-cors requests!) - for years I had to deal with fellow developers who just don't get the point of CORS and think "I can bypass this with trickery in the browser" – Bravo Aug 16 '21 at 11:34
  • 2
    @Bravo — I believe the basic logic is that with a classical HTML form you can send any Content-Type supported by `enctype`. People writing web apis may have assumed that if the content-type was not one of those then it was safe from cross-origin attacks. So now, if you make a request with Ajax and you want to set a content-type that is not supported by `enctype` then you need permission from CORS. Using `no-cors` mode basically makes everything which requires permission from CORS to fail silently and without errors - including changing the content type from the default (plain text) to JSON. – Quentin Aug 16 '21 at 11:36