Ajax CORS fixes #6696
Ajax CORS fixes #6696
Conversation
… no longer added incorrectly When this header is added incorrectly, it triggers preflight requests. This caused a breaking change from rxjs 6.x with any backend request URL that does not support preflight requests (OPTIONS method). Issue traces back to 0d66ba4
|
Hi @benlesh In v6 the default for crossDomain was true: https://github.com/ReactiveX/rxjs/blob/6.x/src/internal/observable/dom/AjaxObservable.ts#L163 In v7 it’s code was changed yet the code read “Defaults” and said crossDomain true, it was just reading “undefined” at point of checking whether to add a header due to the default not taken into account. Tracking the changes in commits this appears to occur in an unrelated change and there was no breaking change notification so I believe it was unintentional and needs fixing. Adding the header forces a CORS, breaking if the server does not accept the OPTIONS header. So unfortunately this PR doesn’t fix the reported issue as it seems to enforce a new default if false for CORS - which is a breaking change from v6 to v7 I cannot find documented. I also don’t believe this breaking change is desirable. Hope that makes sense. |
|
The more I think about this, I'm starting to feel like we're just doing this wrong. Looking at the behaviors as they're defined. I think that we can probably deprecate I'm going to mark this for review with the Core Team so that can be discussed. |
benlesh
added
7.x
|
@benlesh So that the current "broken" status can be rectified is it all possible to go back to my original PR and get that pushed through as a restoring of v6 functionality for a minor point release perhaps? I'm generally cautious about mixing change requests with bug fixes as the former can take a lot of time to discuss and agree, and in the meantime there's potential for others to have the same issues I've encountered attempting to upgrade to v7. |
|
@driskell at this point I think we need to be more cautious than to declare your PR a simple bug fix (one person's bug fix is another person's breaking change). For one thing, the original behavior in 6.x was hap-hazard, and 7.x was meant as a move to fall in line with what most other AJAX impls were doing. However, looking more closely at what other AJAX impls are doing now and what browsers do with CORS, it leads me to believe that we need to slow down and think about what needs to be done here.
As a workaround, people can simply add any custom header to force CORS (including |
|
@benlesh Ah ok I can completely agree and understand. I had assumed the change wasn’t deliberate as I couldn’t find it documented and the commits seemed unrelated. In that case is it worth just updating this page to document the change? https://rxjs.dev/deprecations/breaking-changes |
|
Core team: Proceed with plan above. |
|
Sorry, I got a little tangled with all of what was done on top of this, so I started from scratch with another PR at #6710 that addresses the issues as discussed. @driskell I'd really like to thank you again for bringing this to our attention. Sorry this might not be the outcome you wanted exactly, but I think it's movement in the right direction, and we'll definitely be using what was learned here to make things even better in upcoming versions. |
Working off of #6691
(added a commit to that PR, but I was unable to do that from the Web UI to that branch, so I started a new branch)