25

I am trying to hit a service end point and the service is a login service I am using the authentication type as basic ,The code is in react and using the fetch library however even if i set the headers field in my request I am unable to see the values of corresponding headers in my request in network tab?

Following is the code : 

var obj = {
  method: 'GET' ,
  mode : 'no-cors',
  headers: {
      'Access-Control-Request-Headers': 'Authorization',
      'Authorization': 'Basic amFzcGVyYWRtaW46amFzcGVyYWRtaW4=',
      'Content-Type': 'application/json',
      'Origin': ''
  },
  credentials: 'include'
};
fetch('http://myreport:8082/jasperserver/rest/login/', obj ).then(…

Popup where its asking me for username and password Popup where its asking me for username and password

Request and response calls from the network tabs Request and response calls from the network tabs

Improve this question
2
  • this seems to be a cross origin request why have you set mode to 'no-cors'? Commented Jun 17, 2017 at 15:49
  • try to remove mode: no-cors and use npmjs.com/package/cors or something similar for your backend platform Commented Jun 22, 2022 at 18:24

1 Answer 1

Reset to default
31

None of your headers are CORS-safelisted, so they can not be attached to the request.

Explanation:

  1. no-cors request mode sets guard property for a headers object to request-no-cors

  2. To append a name/value (name/value) pair to a Headers object (headers), browser have to run these steps:

    1. Normalize value.

    2. If name is not a name or value is not a value, then throw a TypeError.

    3. If guard is "immutable", then throw a TypeError.

    4. Otherwise, if guard is "request" and name is a forbidden header name, return.

    5. Otherwise, if guard is "request-no-cors" and name/value is not a CORS-safelisted request-header, return. ← your scenario

    6. Otherwise, if guard is "response" and name is a forbidden response-header name, return.

    7. Append name/value to header list.

  3. CORS-safelisted request-header (case-insensitive):
    • Accept
    • Accept-Language
    • Content-Language
    • Content-Type, but only if the value is one of:
      • application/x-www-form-urlencoded
      • multipart/form-data
      • text/plain

You can learn more about fetch's Headers class specs here: https://fetch.spec.whatwg.org/#headers-class

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

mode: 'no-cors' basically normalizes the request to be a "simple" one, for example, the server will receive Content-Type: text/plain instead of application/json that you have in your code snippet. I find this behavior quite strange/interesting but that's the way it is. mode:no-cors also avoids triggering preflight.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.