http-browserify icon indicating copy to clipboard operation
http-browserify copied to clipboard
verified publisher icon browserify

fix: xhr.withCredentials is initially `false`

Open feltnerm opened this issue 11 years ago • 5 comments

According to the XMLHttpRequest2 spec, xhr.withCredentials should be initially false. http-browserify sets this flag to true by default which disobeys the spec. This leads to browser errors when making CORS requests to domains that have wildcards in their Access-Control-Allow-Origin header.

http-browserify should attempt to follow the spec by default. In this case, that means setting withCredentails to false initially, and then allowing the user to override that in the passing in params.

Maybe it is possible to auto-detect when user credentials are being sent and then set the withCredentials flag from there.

Somewhat related to #35 (the committer there expressed concern about withCredentials being true when unintialzed as well).

feltnerm avatar Mar 28 '14 20:03 feltnerm

I just ran into this as well. I was glad the withCredentials option was available, but agree it should default to false.

gsf avatar Apr 03 '14 13:04 gsf

I just ran into this as well. I was glad the withCredentials option was available, but agree it should default to false.

Yeah, it was annoying that I had a dependency that was using the http module but was not specifying the withCredentials option resulting in CORS errors. If withCredentials followed the spec, I would not have to modify/fork dependencies to work with http in the browser.

feltnerm avatar Apr 09 '14 16:04 feltnerm

I ran into this as well. Please merge. xhr.withCredentials definitely shouldn't be true by default.

agrueneberg avatar Apr 14 '14 22:04 agrueneberg

This is not good. Please merge.

imhoffd avatar Apr 29 '14 00:04 imhoffd

similar to #90

feltnerm avatar Jul 02 '15 19:07 feltnerm