Patching jQuery 1.3.2 to support Cross-Origin Resource Sharing
Hi all,
I don't know what the state of this is in the current development of
jQuery, but I just patched my local 1.3.2 version to be able to
support the most basic scenario of "Cross-Origin Resource Sharing". I
can now make cross-domain plain JSON requests on my machine using
Firefox 3.5. (I only need it for testing right now so this is OK for
me)
http://dev.w3.org/2006/waf/access-control/
https://developer.mozilla.org/En/HTTP_access_control
The concept distinguishes between "Simple Requests" and "Preflighted
requests", which are handled differently. To qualify as a simple
request it must use GET or POST and must not contain any custom
headers. Stepping through the jQuery code, this quickly turned out to
be a problem, since jQuery adds the X-Requested-With header to all
outgoing requests. For now I just commented out the line
xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
(line 3531 in my version of jquery 1.3.2) to make the browser treat it
as a basic request. So one way to support this would be to offer a
flag to not set optional headers in the request. To make the request
fully work, the server has to add a Access-Control-Allow-Origin header
to the response, but this is not in the responsibility of jQuery.
The other route would be to support the "Preflighted requests"
protocol, but this is more involved since it results in sending an
OPTIONS request first and then, depending on the server's response,
sending the actual request. I did not look into this for now since the
above is sufficient for my use case.
I am sorry that I do not have time right now to provide any formal
patch or look further into this issue, since I have a deadline
approaching. But I wanted to share my findings with you since
currently nothing shows up when googling the relevant keywords. This
blog post
http://pdxjs.com/2009/08/02/sammy-and-cross-origin-resource-sharing.html
mentions that none of the common js libraries support Cross-Origin
Resource Sharing for now.
Btw. one of the problems was that it took me quite a while to find out
what was wrong since Firefox 3.5 will fail silently on cross-domain
requests with jquery - it sends out an OPTIONS request, which is
passed to jQuery as a reply. Obviously the data is missing but other
than that there is no indication that something went wrong. So if you
decide to not implement CORS cross-domain requests should at least
fail with an exception to help debugging.
All the best,
Flo Ledermann