Skip to content
This repository has been archived by the owner on Apr 12, 2024. It is now read-only.

drop X-Requested-With header from the default $http config #1004

Closed
IgorMinar opened this issue May 31, 2012 · 24 comments
Closed

drop X-Requested-With header from the default $http config #1004

IgorMinar opened this issue May 31, 2012 · 24 comments

Comments

@IgorMinar
Copy link
Contributor

X-Requested-With causes CORS requests to trigger preflight checks which complicates things for many simple things.

The header is not very useful except for certain edge-cases (e.g. I think that Rails uses the header to switch full page and page fragment rendering).

@IgorMinar
Copy link
Contributor Author

better then completely dropping the header would be to send it only for same-domain requests. this will require moving the header from the default header config into a filter or something similar.

@IgorMinar
Copy link
Contributor Author

@zvictor
Copy link

zvictor commented Jun 11, 2012

I agree, I was having the same problem and I had to change server headers.

@AshD
Copy link

AshD commented Aug 28, 2012

+1

3 similar comments
@vitch
Copy link

vitch commented Sep 14, 2012

+1

@olragon
Copy link

olragon commented Sep 17, 2012

+1

@escalant3
Copy link
Contributor

+1

@rkirov
Copy link
Contributor

rkirov commented Sep 28, 2012

I had a chat with Misko about this. It might be easier to completely remove this header and let people add it on demand. Otherwise we would need to keep two sets of default headers - headers.common and headers.commonCrossDomain, which would add more complexity and documentation.

@IgorMinar
Copy link
Contributor Author

Let's just remove it as it makes the documentation and expectations easier to manage. Adding the header to the defaults is trivial.

@rkirov
Copy link
Contributor

rkirov commented Oct 12, 2012

For the record, here is the snippet to reenable the previous behavior that Igor mentioned:

myModule.config(function($httpProvider) {
  $httpProvider.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
});

@taralx
Copy link

taralx commented Nov 13, 2012

+1

@tchatel
Copy link

tchatel commented Nov 17, 2012

Since a few days, with this header all CORS requests to Google APIs fail, causing an "Origin [...] is not allowed by Access-Control-Allow-Origin" error.

You can see the error in Vojta's Task Manager : http://task-manager-angular.appspot.com/app/index.html
It it does no longer work, as any AngularJS application making $http requests to Google APIs.

@celmaun
Copy link

celmaun commented Nov 17, 2012

+1 to only sending for same-domain requests. -1 to removing it.

@derekdata
Copy link

I realize that this header can be added back and that it's just being removed by default, but there are some good reasons everyone might want to use it: for some basic CSRF protection: https://nealpoole.com/blog/2010/11/preventing-csrf-attacks-with-ajax-and-http-headers/#comment-1675

Are you using something different for CSRF protection?

@rkirov
Copy link
Contributor

rkirov commented Dec 7, 2012

Yes, Angular provides X-XSRF-TOKEN specifically for that purpose (see http://docs.angularjs.org/api/ng.$http). It will require some collaboration from your server, but it is a more robust solution.

@luizsignorelli
Copy link

I just updated to version 1.1.4 and my Angular app does not work with my Rails backend anymore.
There are more people with this issue as you can see on this stackoverflow question.

Dropping this header is really the right thing to do?

@gwright
Copy link

gwright commented Jun 23, 2013

I added some more background on the Rails interaction in this comment.

@eddiemonge
Copy link
Contributor

seems removing this has caused some problems. the docs should at least state that this was removed as the default. only way i found this was the cause of my api requests failing is that i examined the request in detail, with old and updated ngcore code.

@janmarek
Copy link

janmarek commented Oct 1, 2013

Nette Framework also uses this header.

@kromped
Copy link

kromped commented Oct 1, 2013

@eddiemonge I agree with you. I spent hours trying to debug what happened to the httpProvider because it was not working. Turns out they removed the default http headers and I had to search the change log to see why they removed it. Please update the docs!

@codygman
Copy link

Django also uses this in it's request.is_ajax() method. IMO the better solution is what jquery does. Yes, it is simple to add that single line but identifying the problem as 'X-Requested-With' may not be so easy for some people. I personally found it pretty easy, but I enjoy tracing through my (and everyone elses) code with the debugger ;)

@raitucarp
Copy link

this is quite weird for me, as many cases Backend, use is_xhr, or is_ajax etc to check whether user is made requests from browser with ajax, or not.

@k-vladyslav
Copy link

Symfony2 2.3.x also can't detect if the request is XHR without this header
https://github.com/symfony/http-foundation/blob/v2.3.42/Request.php#L1564

@gkalpak
Copy link
Member

gkalpak commented Aug 17, 2016

Fortunately, anyone is free to add this header to the default headers sent with every request 😄

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.