Access Control Request Headers, is added to header in AJAX request with jQuery

Here is an example how to set a request header in a jQuery Ajax call:

$.ajax({  type: "POST",  beforeSend: function(request) {    request.setRequestHeader("Authority", authorizationToken);  },  url: "entities",  data: "json=" + escape(JSON.stringify(createRequestObject)),  processData: false,  success: function(msg) {    $("#results").append("The result =" + StringifyPretty(msg));  }});

This code below works for me. I always use only single quotes, and it works fine. I suggest you should use only single quotes or only double quotes, but not mixed up.

$.ajax({    url: 'YourRestEndPoint',    headers: {        'Authorization':'Basic xxxxxxxxxxxxx',        'X-CSRF-TOKEN':'xxxxxxxxxxxxxxxxxxxx',        'Content-Type':'application/json'    },    method: 'POST',    dataType: 'json',    data: YourData,    success: function(data){      console.log('succes: '+data);    }  });

What you saw in Firefox was not the actual request; note that the HTTP method is OPTIONS, not POST. It was actually the 'pre-flight' request that the browser makes to determine whether a cross-domain AJAX request should be allowed:

http://www.w3.org/TR/cors/

The Access-Control-Request-Headers header in the pre-flight request includes the list of headers in the actual request. The server is then expected to report back whether these headers are supported in this context or not, before the browser submits the actual request.