Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
So I know that if I have custom headers in my Ajax calls browser does a preflight to ensure that the resource is available. My problem is that my REST service uses Http-Authorization for security, but in the OPTIONS call this header is not getting passed in, even though it’s added through beforeSend().
Do I have to reply to OPTIONS unauthenticated?
I believe the
OPTIONSrequest is a preflight check for CORS (Cross Origin Resource Sharing). I don’t think you have control over theOPTIONSrequest, your browser will make it automatically.Also, I don’t necessarily believe this is a problem. You can implement the CORS reply headers on a whitelist basis. Like, say domains X and Y are allowed, but not Z. If you ask for
OPTIONScomming from X you can reply ‘allowed: X’. Similarly for Y. But if you come from Z you will say ‘not allowed’.A way around this, and for backwards compatibility with older browsers (
DomainRequestanyone?) you can use JSONp, it’s not as nice but way simpler.