Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remove X-Requested-With: XMLHttpRequest header #8493

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

remove X-Requested-With: XMLHttpRequest header #8493

wants to merge 2 commits into from

Conversation

lion7
Copy link

@lion7 lion7 commented Mar 20, 2023

Description

This PR effectively reverts the changes of PR #4934 (or more specific the commit 937c8f6).

Motivation and Context

As described in more detail in issue #6081, the use of the X-Requested-With header triggers a preflight on most authentication backends. Most authentication endpoints do not implement CORS, and when they do the header X-Requested-With is not in the list of allowed headers.

Note that the motivation of the original PR that introduced this change seems to be debatable. The popup shown in the screenshots there seem to be caused by a backend sending a WWW-Authenticate header, which is kind of weird.

Fixes #6081

How Has This Been Tested?

Running the latest swagger-ui with Dex IDP (https://dexidp.io/). My browser fails to fetch the token after going through the authorization code flow. Replacing swagger-ui with a local build of this PR results in successful authentication.

Screenshots (if appropriate):

Checklist

My PR contains...

  • No code changes (src/ is unmodified: changes to documentation, CI, metadata, etc.)
  • Dependency changes (any modification to dependencies in package.json)
  • Bug fixes (non-breaking change which fixes an issue)
  • Improvements (misc. changes to existing features)
  • Features (non-breaking change which adds functionality)

My changes...

  • are breaking changes to a public API (config options, System API, major UI change, etc).
  • are breaking changes to a private API (Redux, component props, utility functions, etc.).
  • are breaking changes to a developer API (npm script behavior changes, new dev system dependencies, etc).
  • are not breaking changes.

Documentation

  • My changes do not require a change to the project documentation.
  • My changes require a change to the project documentation.
  • If yes to above: I have updated the documentation accordingly.

Automated tests

  • My changes can not or do not need to be tested.
  • My changes can and should be tested by unit and/or integration tests.
  • If yes to above: I have added tests to cover my changes.
  • If yes to above: I have taken care to cover edge cases in my tests.
  • [?] All new and existing tests passed.

@mosinve
Copy link

mosinve commented Mar 27, 2024
edited

Is it still supposed to merge?

@syl20bnr
Copy link

Well that would be cool to merge this since it is still a blocker since 2024.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CORS issue in oauth2 authorizationCode flow
3 participants
@lion7 @mosinve @syl20bnr