It appears that jQuery doesn't send along the Authorization header when sending an OPTIONS request before a POST request (or possibly other types). The server I'm trying to reach is returning a 401 status for the OPTIONS request - how can I force jQuery to include the Authorization header, even in this initial request?

$.ajax({
    type: "POST",
    url: url,
    data: postData,
    beforeSend: function ajaxBeforeSend(jqXHR) {
        jqXHR.withCredentials = true;
        jqXHR.setRequestHeader("Authorization", "Basic " + btoa(encodeURIComponent(escape($username.val())) + ":" + encodeURIComponent(escape($password.val()))));
    },
    success: runReportUrlCallback,
    error: runReportErrorCallback
});

I also tried adding username and password to the ajax options, to no avail.

It appears that jQuery doesn't send along the Authorization header when sending an OPTIONS request before a POST request (or possibly other types). The server I'm trying to reach is returning a 401 status for the OPTIONS request - how can I force jQuery to include the Authorization header, even in this initial request?

$.ajax({
    type: "POST",
    url: url,
    data: postData,
    beforeSend: function ajaxBeforeSend(jqXHR) {
        jqXHR.withCredentials = true;
        jqXHR.setRequestHeader("Authorization", "Basic " + btoa(encodeURIComponent(escape($username.val())) + ":" + encodeURIComponent(escape($password.val()))));
    },
    success: runReportUrlCallback,
    error: runReportErrorCallback
});

I also tried adding username and password to the ajax options, to no avail.

• javascript
• jquery
• ajax
• cors

Share Improve this question Follow asked Feb 23, 2015 at 5:17 Josh M.Josh M. 27.8k2727 gold badges131131 silver badges222222 bronze badges 3

• possible duplicate of Why does the preflight OPTIONS request of an authenticated CORS request work in Chrome but not Firefox? – suish Commented Feb 23, 2015 at 5:48
• Seems like make the server not requiring auth on OPTIONS request is the only way to fix it. – suish Commented Feb 23, 2015 at 5:49
• I don't "own" the server. It's a 3rd party web service. – Josh M. Commented Feb 23, 2015 at 5:52

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 5

It seems that the 3rd party server has been configured incorrectly without the OPTIONS request in mind.

W3 states that preflight OPTIONS request must:

Exclude user credentials.

User credentials are defined:

The term user credentials for the purposes of this specification means cookies, HTTP authentication, and client-side SSL certificates

See https://www.w3/TR/cors/#cross-origin-request-with-preflight-0

If the server is in your control then you simply put the OPTIONS request handler in front of your auth check.

If the server is NOT in your control, which seems to be the case here, then you moan at the server administrator explaining they've done it wrong and hope they change it.