Set regular HTTP request headers from javascript

Question

I'm trying to make a multipage web app that uses json web tokens for authentication. Using JWTs for single page apps is fairly trivial as you just set the headers on an XHR and send it off, but setting the headers for regular browser requests seems somewhat more difficult.

It would be possible to use query strings here, but it'd be better to use headers.

Is it possible to set regular browser request headers from javascript? Specifically the Authorisation header. If so, how is it done? Or is it prevented due to some massive security pitfall it would introduce?

Answer 1

"Is it possible to set regular browser request headers from javascript?"

Short answer. No. Not for standard anchor links or form submit behaviour. This is a long standing "issue" with traditional multipage apps. I use quotes around "issue" because...

Long Answer. There are likely other ways to achieve your goal.

1. Use hidden form fields if your doing a form submit style post and redirect.
2. Use cookies and read those values on the server, this is the way a lot of session based web browser authentication works.
3. Do something clever with an ajax call that post to resource that response back with a success message object with a route to navigate to on success (and maybe one for failure). Just as an example. You could probably take advantage of server repsonse codes (http 302) etc.