Skip to content

There is no way to set the XHR's withCredentials property to false if the protection data contains a header name "authorization"

Created by: littlespex

Environment
  • Dash.js version: 2.6.2
  • Browser name/version: All MSE enabled browsers
  • OS name/version: All MSE enabled platforms
Observed behaviour

When the authorization header is set in the protection data object, DashJS automatically sets the XHR's withCredentials property to true:

// Set optional XMLHttpRequest headers from protection data and message
var updateHeaders = function updateHeaders(headers) {
    var key;
    if (headers) {
        for (key in headers) {
            if ('authorization' === key.toLowerCase()) {
                xhr.withCredentials = true;
            }
            xhr.setRequestHeader(key, headers[key]);
        }
    }
};

This causes some AZURE license requests to fail. We can see successful playback if we comment out this line. Unfortunately, this forces us to provide the customer with an modified DashJS library. We have tried to override this behavior by passing withCredentials: false in the protection data object, but the code in DashJS only applies this override if the value is true:

// Set withCredentials property from protData
if (protData && protData.withCredentials) {
    xhr.withCredentials = true;
}
Possible solutions
  1. Change the override code to also except a value of false:
// Set withCredentials property from protData
if (protData && typeof protData.withCredentials == "boolean") {
    xhr.withCredentials = protData.withCredentials;
}
  1. Remove the hardcoded line that forces withCredentials to be set to true when the authorization header is present, and let customers set withCredentials to true via the protection data object:
// Set optional XMLHttpRequest headers from protection data and message
var updateHeaders = function updateHeaders(headers) {
    var key;
    if (headers) {
        for (key in headers) {
            xhr.setRequestHeader(key, headers[key]);
        }
    }
};