6

I'm investigating the Cross-Domains problems, I have with some REST service call. Chrome said this: Request header field x-requested-with is not allowed by Access-Control-Allow-Headers This is what I've got from Network -> Headers tab:

Request URL: rest_url_on_other_domain Request Method:OPTIONS Status Code:200 OK Request Headers: Access-Control-Request-Headers:Origin, x-requested-with, content-type, accept Access-Control-Request-Method:POST Origin:http://localhost:8080 Response Headers Access-Control-Allow-Headers:Content-Type, Accept Access-Control-Allow-Methods:GET, POST Access-Control-Allow-Origin:* Access-Control-Max-Age:1728000 Cache-Control:no-cache, no-store Connection:keep-alive Content-Length:0 Date:Fri, 30 Dec 2011 11:29:12 GMT Expires:-1 Pragma:no-cache Server:nginx/1.0.2

Could somebody explain about this HTTP Headers? What is the problem - Some headers check on the server fail or some headers check on the client side (browser) fail. What's the very idea about this Access headers? Explain in detail in simple words just to get the feeling the rest I'll learn by my self. Thanks in advance!

Improve this question

1 Answer 1

Reset to default
10

What you are seeing is a Cross-Origin Resource Sharing preflight request. Request method for such request is OPTIONS. This is a request that the browser uses to ask permissions to send the actual request. You can learn more here: http://www.html5rocks.com/en/tutorials/cors/

In this particular case, the browser is asking for a bunch of headers (in the Access-Control-Request-Headers header). Now, in response, the Access-Control-Allow-Headers header should contain all the requested headers. In case, if there are more than the requested headers, the browser will not throw any exception. In this example, your response header should look like this:

Access-Control-Allow-Headers: Origin, x-requested-with, content-type, accept

All the other response headers look ok. Once the server sends this response, the browser will send a second request, which is the actual request for the data.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

But what is the idea to preflight request - what information will he gain of these headers. Is the conversation like: preflight request (Origin Header- "What domains do you support", x-requested-with -"Do you support XMLHttpRequests ?", ...) and when they are repeated in the preflight response that mean "Yes" to all of them or it is bad to have such analogy. And when the browser sends the real request - when which conditions are fulfiled (mb simple example). Thank you!
The preflight is the browser is asking: "Hi server! I have a request here, its from this domain, its using this http method, and it has these request headers. Is it cool if I send the actual request?" The server then acknowledges the preflight request by sending back the Access-Control-Allow-* headers. The reason it uses these headers rather than a simple OK is that the preflight response can be cached after the first request. That way a preflight doesn't have to be issued on every request, which saves bandwidth.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.