search

jpillora / xdomain

A pure JavaScript CORS alternative
https://jpillora.com/xdomain/
3.12k stars 270 forks source link

All headers lowercased before sending #95

Closed peterjosling closed 10 years ago

peterjosling commented 10 years ago

All request headers are converted to lowercase before sending - which in theory shouldn't be an issue as headers are case insensitive. However, I have to work with an API which requires an 'Authorization' header with a capital A, which I'm unable to send with this library (but was previously with standard jQuery).

Native XMLHttpRequest doesn't lowercase headers, so this shouldn't either?

jpillora commented 10 years ago

Another one of the fun quirks about HTTP, clients are allowed to mix header case in requests, and the server is supposed ignore case.

This portion of the code is actually in XHook and was added by this PR: https://github.com/jpillora/xhook/issues/16

We can either remove this code or we could "pretty print" headers, that is, my-header becomes My-Header.

@gasi Can you comment on this?

jpillora commented 10 years ago

Also, another thing that needs to be confirmed, which I can do when I get home, is: Can multiple headers of the same name be set? I'm quite sure this is allowed in the spec? Can all browsers do this? Because at the moment, I'm storing headers in an object which would only allow unique headers.

jpillora commented 10 years ago

So, when we do:

xhr.setRequestHeader('foo-BAR', 42);
xhr.setRequestHeader('FOO-bar', 21);

In latest chrome it sends (lowercase key, both values)

foo-bar:42, 21

whereas on latest firefox, it sends (lowercase key, last value)

foo-bar:21

Same test, though with authentication header:

xhr.setRequestHeader('AUTHORization', 42);
xhr.setRequestHeader('AuthorIZATION', 21);

chrome (no lowercasing - uses the initial key and both values)

AUTHORization:42, 21

firefox (forces capital A and uses last value)

Authorization:21

And there is still safari, android browser, etc to test... Maybe the simplest solution for now is to just force capital Authorization?

(edit1: tested Authorization inplace of Authentication - same results)

edit2: Safari sends same as chrome (behaviour inherited from WebKit I presume):

AUTHORization:42, 21
jpillora commented 10 years ago

Created an issue on the XHook repo https://github.com/jpillora/xhook/issues/21, please place all further comments relating to this there

jpillora commented 10 years ago

Fixed with https://github.com/jpillora/xdomain/commit/79fd6a551ba024ce2f8d694980ddca401e6d1004