Chrome doesn't add headers to ajax requests from iframe, Firefox ok
I have a situation where I am sending ajax requests from an iframe to the same domain as the original page, this iframe is being loaded from the same domain. Let's say the original page url is http: // server / client and iframe src http: //server/client/addin1/view.html
From the iframe, I make an initial xhr request for api: POST http: // server / api / connect , which returns 201 with a token in the response header and in the cookie. Now I make the following call for another api method, say GET http: // server / api / status , but in this case I add a token header and I assume the resulting cookie will be enabled by the browser - this is HttpOnly, my xhr has withCredentials : true.
Magic: in FF it works fine, both tokens and cookie are set and sent, in chrome no token header is added and cookie is not sent. I have verified that in both cases xhr.setRequestHeader (...) is called, and in order to be 100% sure, I have checked with wireshark what is actually sent.
Any idea why chrome behaves differently than FF? Maybe I just missed it.
thanks, Lukash
source to share
I had a similar problem to yours and was able to fix my CORS problem after following this MDN CORS (MDN) article ) see Credential Requests. There you will find that you need to set the xhr options withCredentials
. Here's an example they are using:
var invocation = new XMLHttpRequest();
var url = 'http://bar.other/resources/credentialed-content/';
function callOtherDomain(){
if(invocation) {
invocation.open('GET', url, true);
invocation.withCredentials = true;
invocation.onreadystatechange = handler; // Needs to be implemented
invocation.send();
}
}
Hope it helps!
source to share