Reputation: 13547
Why is the browser not throwing an error when setting X-Requested-With header when calling another domain?
I am running my server on localhost. I tried sending a http request using fetch with cors mode set as no-cors. I sent the request to a random resource in google.com domain. This request had the X-Requested-With header set to some custom value, save "Foo". This request successfully went through and returned a 404 NOT FOUND http status code on the browser.
But I expectation was that the request should not have been sent at all and that the browser should have thrown an error instead because on the following headers are allowed to be set cross-domain
Accept
Accept-Language
Content-Language
Last-Event-ID
Content-Type
Was my expectation wrong?
Upvotes: 0
Views: 113
Answers (1)
Reputation: 943746
From the specification:
Otherwise, if the context object’s guard is "request-no-cors" and name/value is not a no-CORS-safelisted request-header, return.
Attempting to set X-Requested-With fails silently and the request is made without the header.
Upvotes: 1
Related Questions
- Cross origin requests are only supported for HTTP but it's not cross-domain
- What triggers cross-domain violation when AJAX request?
- Browser not setting the origin header for cross origin requests?
- Cross-Domain AJAX doesn't send X-Requested-With header
- Cross origin request blocked
- why is this a cross domain request
- IE, XDomainRequest not always work
- With correct headers and OPTIONS request, still getting "No Access-Control-Allow-Origin header is present on the requested resource"
- Cross Domain XHR failing inspite of Access-Control-Allow-Origin header
- Why does an XMLHttpRequest include an Origin header?