diff options
| author | John Resig <jeresig@Archimedes.local> | 2009-11-25 13:29:34 -0500 |
|---|---|---|
| committer | John Resig <jeresig@Archimedes.local> | 2009-11-25 13:29:34 -0500 |
| commit | a7678267d848fcef8775c8b9f4fa3e507b8cc5f4 (patch) | |
| tree | dc99004b94e281eb024bbe17d8680781ab99d8c7 /src | |
| parent | 0f6e9a8c69007ce7ebbb7c46637115a207d1a594 (diff) | |
| download | jquery-a7678267d848fcef8775c8b9f4fa3e507b8cc5f4.tar.gz jquery-a7678267d848fcef8775c8b9f4fa3e507b8cc5f4.zip | |
Disable the X-Requested-With header to avoid preflighting remote POST requests. Fixes #4601.
Diffstat (limited to 'src')
| -rw-r--r-- | src/ajax.js | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/src/ajax.js b/src/ajax.js index 3416dd66d..1e0729f3f 100644 --- a/src/ajax.js +++ b/src/ajax.js @@ -275,13 +275,12 @@ jQuery.extend({ } // Matches an absolute URL, and saves the domain - var parts = rurl.exec( s.url ); + var parts = rurl.exec( s.url ), + remote = parts && (parts[1] && parts[1] !== location.protocol || parts[2] !== location.host); // If we're requesting a remote document // and trying to load JSON or Script with a GET - if ( s.dataType === "script" && type === "GET" && parts - && ( parts[1] && parts[1] !== location.protocol || parts[2] !== location.host )) { - + if ( s.dataType === "script" && type === "GET" && remote ) { var head = document.getElementsByTagName("head")[0] || document.documentElement; var script = document.createElement("script"); script.src = s.url; @@ -350,7 +349,10 @@ jQuery.extend({ } // Set header so the called script knows that it's an XMLHttpRequest - xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest"); + // Only send the header if it's not a remote XHR + if ( !remote ) { + xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest"); + } // Set the Accepts header for the server, depending on the dataType xhr.setRequestHeader("Accept", s.dataType && s.accepts[ s.dataType ] ? |