elm-http
elm-http copied to clipboard
evancz
Refused to set unsafe header "Origin" in Chrome
If you attempt to use the sample code from Http.send
crossOriginGet : String -> String -> Task RawError Response
crossOriginGet origin url =
Http.send defaultSettings
{ verb = "GET"
, headers = [("Origin", origin)]
, url = url
, body = empty
}
running the elm code in Chrome (Version 43.0.2357.134 (64-bit) on OSX 10.10.4) gives a javascript error:
Refused to set unsafe header "Origin"
Tried it on firefox and it does not seem to be throwing the same error.
I am also seeing this error. @chendrix Did you ever get to the bottom of it?
Actually @chendrix does it work properly in Firefox for you? I am not getting an error in Firefox, but it is not setting the headers.
It sounds like this is just a JS thing or a browser thing.
http://stackoverflow.com/questions/15512331/chrome-adding-origin-header-to-same-origin-request
Can you confirm that it is really possible to overwrite this header in JS? I can imagine it being set by the browser and never the user for security reasons. If this is something that exists in JS but not in elm-http, we should discuss it further here. Otherwise there's not much we can do.
@evancz OK it looks like it is because of the Origin. Looks like browsers handle that for you. I tried with a different header and it works fine. I think we should change the example to something different. Also should we make a note about Origin? I can submit a PR if you agree that is the way to go.
Let's find a good example, then decide.
I have a suspicion that 40% of headers do crazy secret things, and it'd probably be good to document all of them, but I'm not sure that's a task I want to undertake. It's something that deserves to be stated clearly on the internet somewhere though, so I'd be into that existing :)
In any case, I am not an expert on scenarios and best practices of setting headers, so I'd be inclined to find "the most common example" and then solve it in the right way in our examples.