From a7678267d848fcef8775c8b9f4fa3e507b8cc5f4 Mon Sep 17 00:00:00 2001 From: John Resig Date: Wed, 25 Nov 2009 13:29:34 -0500 Subject: [PATCH] Disable the X-Requested-With header to avoid preflighting remote POST requests. Fixes #4601. --- src/ajax.js | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/ajax.js b/src/ajax.js index 3416dd66..1e0729f3 100644 --- a/src/ajax.js +++ b/src/ajax.js @@ -275,13 +275,12 @@ jQuery.extend({ } // Matches an absolute URL, and saves the domain - var parts = rurl.exec( s.url ); + var parts = rurl.exec( s.url ), + remote = parts && (parts[1] && parts[1] !== location.protocol || parts[2] !== location.host); // If we're requesting a remote document // and trying to load JSON or Script with a GET - if ( s.dataType === "script" && type === "GET" && parts - && ( parts[1] && parts[1] !== location.protocol || parts[2] !== location.host )) { - + if ( s.dataType === "script" && type === "GET" && remote ) { var head = document.getElementsByTagName("head")[0] || document.documentElement; var script = document.createElement("script"); script.src = s.url; @@ -350,7 +349,10 @@ jQuery.extend({ } // Set header so the called script knows that it's an XMLHttpRequest - xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest"); + // Only send the header if it's not a remote XHR + if ( !remote ) { + xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest"); + } // Set the Accepts header for the server, depending on the dataType xhr.setRequestHeader("Accept", s.dataType && s.accepts[ s.dataType ] ?