New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ff111 fetch authorization cross origin #25127
Ff111 fetch authorization cross origin #25127
Conversation
Preview URLs
External URLs (2)URL:
URL:
(comment last updated: 2023-03-10 03:26:27) |
@@ -35,6 +35,9 @@ This article provides information about the changes in Firefox 111 that affect d | |||
|
|||
### HTTP | |||
|
|||
- The HTTP [`Authorization`](/en-US/docs/Web/HTTP/Headers/Authorization) header is removed from cross origin redirects. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI this is part of the same work as the stuff down in APIs for fetch()
. But it is kind of separate in that it is at the HTTP layer in code, and this is where you might look for it.
> allowed by Access-Control-Allow-Headers in preflight response**" exception | ||
> when you send requests across domains. In this situation, you need to set up the | ||
> {{HTTPHeader("Access-Control-Allow-Headers")}} in your response header at server side. | ||
In addition, the [`Authorization`](/en-US/docs/Web/HTTP/Headers/Authorization) HTTP header may be added to a request, but will be removed if the request is redirected cross-origin. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI, this is the only new content here - the rest is layout. All it does is note that if the authorization header is added it will be stripped.
Where is the best place to ask a question about this new feature? I am experiencing the Authorization header being stripped in Firefox Developer Edition, even though the response is not a cross-origin redirect. This is a request from a SPA using the Axios library to an API on the same subdomain & both using HTTPS. Setting |
Thanks @hamishwillee |
From FF111 if a
fetch()
orXMLHttpRequest
request is redirected cross-origin, then a developer-addedAuthorization
HTTP header will be removed from the request. The header is not stripped if the request is redirected to the same origin.There isn't any particularly great place to record this information. What I have done is added it as a note to the
option.headers
value forfetch()
and in the description forXMLHttpRequest.setRequestHeader()
- I think that is the most likely place it will be seen. This also gets a note in theAuthorization
header.I've also added a release note.
Other docs work can be tracked in #22533