In bug 1098342 we allowed X-Requested-With because a dashboard wasn't working. There is no reason for a third-party thing to set that header, which can otherwise be used to check for same-origin requests. Also, we allow 'origin'... which is not actually possible.
When using jquery, it seems to me that the absense of X-Requested-With is no longer a problem... the request goes through without sending that header. Any comments? Is the dashboard that prompted this still around?
Created attachment 8869588 [details] [review] PR Trade you a review. ;)
Attachment #8869588 - Flags: review?(dkl)
Dylan, do you have further information for me why you needinfo me? I have about a dozen tools that may or may not be the thing here, and I'm not showing up in bug 1098342
Flagging myself for needinfo, I need to dig a little deeper, as at least one of my dashboards is broken right now, so I need to figure out what's wrong with them first.
Found the dashboard that had those queries, and devtools don't show that I'm sending X-Requested-With, so removing that from the allowed headers should be fine now.
Comment on attachment 8869588 [details] [review] PR r=dkl
Attachment #8869588 - Flags: review?(dkl) → review+
Unfortunately the fallout from this is likely to be greater, so instead I'll just leave it be.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.