allow extraHeaders to be set for browser clients in XHR requests.

[stevedw]

The current extraHeaders functionality seems to restrict setting extra headers to clients running in Node.

Why not allow this to be used in the browser ?- especially to be able to set custom headers for the xhr request.

Most browsers check the headers allowed so I do not see this as a security issue. It should also be possible to set the withCredentials header using this mechanism to enable cookies to be passed.

[3rd-Eden]

Because not all transports support custom headers.

[stevedw]

I appreciate that. But at the moment it is impossible to set them for those that do. I have a use case to set custom auth headers and this is not possible without removing the node-js client check inside the library, which I would rather not do.

At the moment Node js client transports can use this feature and no other can as a special case (as is documented in the code). So I am struggling to see why this is not "transports that support extra headers".

I cannot see why this is such an issue - its not like the transports are entirely symmetrical in their behaviour.

[vvatikiotis]

Hasn't this been addressed by https://github.com/socketio/engine.io-client/blob/master/History.md#160--2015-11-28 ?

[stevedw]

I have no idea - which commit was it in? its not referenced on this issue if it is.

[nickjer]

I also think extraHeaders should be added to browser clients as well. One such example is

'X-Requested-With': 'XMLHttpRequest'

That way the polling doesn't keep getting redirected by the authentication module when I am logged out (building up state cookies). If the request has the above header, then the authentication module will just return 401's as it will know it is an Ajax request.

I believe jQuery has this on by default: http://api.jquery.com/jquery.ajax/