2014-10-13 03:26:22 +04:00
# window.fetch polyfill
2017-02-21 14:02:21 +03:00
The `fetch()` function is a Promise-based mechanism for programmatically making
2016-11-09 17:30:22 +03:00
web requests in the browser. This project is a polyfill that implements a subset
of the standard [Fetch specification][], enough to make `fetch` a viable
replacement for most uses of XMLHttpRequest in traditional web applications.
2015-07-08 21:02:35 +03:00
2016-11-09 17:30:53 +03:00
## Table of Contents
* [Read this first ](#read-this-first )
* [Installation ](#installation )
* [Usage ](#usage )
2018-09-04 13:32:05 +03:00
* [Importing ](#importing )
2016-11-09 17:30:53 +03:00
* [HTML ](#html )
* [JSON ](#json )
* [Response metadata ](#response-metadata )
* [Post form ](#post-form )
* [Post JSON ](#post-json )
* [File upload ](#file-upload )
* [Caveats ](#caveats )
* [Handling HTTP error statuses ](#handling-http-error-statuses )
* [Sending cookies ](#sending-cookies )
* [Receiving cookies ](#receiving-cookies )
2019-10-31 23:05:26 +03:00
* [Redirect modes ](#redirect-modes )
2016-11-09 17:30:53 +03:00
* [Obtaining the Response URL ](#obtaining-the-response-url )
2017-12-08 08:42:26 +03:00
* [Aborting requests ](#aborting-requests )
2016-11-09 17:30:53 +03:00
* [Browser Support ](#browser-support )
## Read this first
2018-07-25 16:03:50 +03:00
* If you believe you found a bug with how `fetch` behaves in your browser,
please **don't open an issue in this repository** unless you are testing in
an old version of a browser that doesn't support `window.fetch` natively.
2020-07-31 01:45:39 +03:00
Make sure you read this _entire_ readme, especially the [Caveats ](#caveats )
section, as there's probably a known work-around for an issue you've found.
2018-07-25 16:03:50 +03:00
This project is a _polyfill_ , and since all modern browsers now implement the
`fetch` function natively, **no code from this project** actually takes any
effect there. See [Browser support ](#browser-support ) for detailed
2016-11-09 17:30:53 +03:00
information.
* If you have trouble **making a request to another domain** (a different
2017-08-03 09:28:00 +03:00
subdomain or port number also constitutes another domain), please familiarize
yourself with all the intricacies and limitations of [CORS][] requests.
Because CORS requires participation of the server by implementing specific
HTTP response headers, it is often nontrivial to set up or debug. CORS is
exclusively handled by the browser's internal mechanisms which this polyfill
cannot influence.
2016-11-09 17:30:53 +03:00
2017-08-03 09:28:00 +03:00
* This project **doesn't work under Node.js environments** . It's meant for web
browsers only. You should ensure that your application doesn't try to package
and run this on the server.
2016-11-09 17:30:53 +03:00
2017-08-03 09:28:00 +03:00
* If you have an idea for a new feature of `fetch` , **submit your feature
requests** to the [specification's repository ](https://github.com/whatwg/fetch/issues ).
We only add features and APIs that are part of the [Fetch specification][].
2016-11-09 17:30:53 +03:00
2014-10-13 03:26:22 +04:00
## Installation
2018-09-04 13:32:05 +03:00
```
npm install whatwg-fetch --save
```
2014-10-23 20:44:34 +04:00
2018-10-04 23:04:48 +03:00
As an alternative to using npm, you can obtain `fetch.umd.js` from the
[Releases][] section. The UMD distribution is compatible with AMD and CommonJS
module loaders, as well as loading directly into a page via `<script>` tag.
2021-12-08 00:59:48 +03:00
You will also need a Promise polyfill for [older browsers ](https://caniuse.com/promises ).
2016-11-09 17:28:02 +03:00
We recommend [taylorhakes/promise-polyfill ](https://github.com/taylorhakes/promise-polyfill )
for its small size and Promises/A+ compatibility.
2015-08-17 17:37:55 +03:00
2018-09-04 13:32:05 +03:00
## Usage
For a more comprehensive API reference that this polyfill supports, refer to
https://github.github.io/fetch/.
### Importing
Importing will automatically polyfill `window.fetch` and related APIs:
2016-05-19 17:36:56 +03:00
```javascript
2018-09-04 13:32:05 +03:00
import 'whatwg-fetch'
window.fetch(...)
2016-05-19 17:36:56 +03:00
```
2015-01-27 22:17:23 +03:00
2018-09-04 13:32:05 +03:00
If for some reason you need to access the polyfill implementation, it is
available via exports:
2016-03-05 08:49:52 +03:00
```javascript
2018-09-04 13:32:05 +03:00
import {fetch as fetchPolyfill} from 'whatwg-fetch'
window.fetch(...) // use native browser version
fetchPolyfill(...) // use polyfill implementation
2016-03-05 08:49:52 +03:00
```
2018-09-04 13:32:05 +03:00
This approach can be used to, for example, use [abort
functionality](#aborting-requests) in browsers that implement a native but
outdated version of fetch that doesn't support aborting.
2014-10-13 03:26:22 +04:00
2018-09-04 13:32:05 +03:00
For use with webpack, add this package in the `entry` configuration option
before your application entry point:
```javascript
entry: ['whatwg-fetch', ...]
```
2016-11-09 19:31:07 +03:00
2014-10-13 03:26:22 +04:00
### HTML
```javascript
2014-10-14 19:57:48 +04:00
fetch('/users.html')
.then(function(response) {
return response.text()
}).then(function(body) {
document.body.innerHTML = body
})
2014-10-13 03:26:22 +04:00
```
### JSON
```javascript
fetch('/users.json')
.then(function(response) {
return response.json()
}).then(function(json) {
console.log('parsed json', json)
}).catch(function(ex) {
console.log('parsing failed', ex)
})
```
### Response metadata
```javascript
fetch('/users.json').then(function(response) {
console.log(response.headers.get('Content-Type'))
console.log(response.headers.get('Date'))
console.log(response.status)
console.log(response.statusText)
})
```
### Post form
```javascript
var form = document.querySelector('form')
2015-06-23 02:12:25 +03:00
fetch('/users', {
2016-01-31 22:34:39 +03:00
method: 'POST',
2014-10-13 03:26:22 +04:00
body: new FormData(form)
})
```
### Post JSON
```javascript
fetch('/users', {
2016-01-31 22:34:39 +03:00
method: 'POST',
2014-10-13 03:26:22 +04:00
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
name: 'Hubot',
login: 'hubot',
})
})
```
### File upload
```javascript
var input = document.querySelector('input[type="file"]')
2015-06-16 00:10:15 +03:00
var data = new FormData()
data.append('file', input.files[0])
data.append('user', 'hubot')
2014-10-13 03:26:22 +04:00
fetch('/avatars', {
2016-01-31 22:34:39 +03:00
method: 'POST',
2015-06-16 00:10:15 +03:00
body: data
2014-10-13 03:26:22 +04:00
})
```
2015-06-16 00:48:14 +03:00
### Caveats
* The Promise returned from `fetch()` **won't reject on HTTP error status**
2017-02-21 14:02:21 +03:00
even if the response is an HTTP 404 or 500. Instead, it will resolve normally,
and it will only reject on network failure or if anything prevented the
2015-06-16 00:48:14 +03:00
request from completing.
2018-07-26 00:37:08 +03:00
* For maximum browser compatibility when it comes to sending & receiving
cookies, always supply the `credentials: 'same-origin'` option instead of
relying on the default. See [Sending cookies ](#sending-cookies ).
2019-10-31 23:02:25 +03:00
* Not all Fetch standard options are supported in this polyfill. For instance,
[`redirect` ](#redirect-modes ) and
[`cache` ](https://github.github.io/fetch/#caveats ) directives are ignored.
2020-07-10 18:08:48 +03:00
* `keepalive` is not supported because it would involve making a synchronous XHR, which is something this project is not willing to do. See [issue #700 ](https://github.com/github/fetch/issues/700#issuecomment-484188326 ) for more information.
2019-10-31 23:02:25 +03:00
2015-06-16 00:48:14 +03:00
#### Handling HTTP error statuses
2014-10-20 11:47:11 +04:00
2015-06-16 01:05:33 +03:00
To have `fetch` Promise reject on HTTP error statuses, i.e. on any non-2xx
status, define a custom response handler:
2014-10-20 21:43:02 +04:00
2014-10-20 11:47:11 +04:00
```javascript
2015-06-16 01:05:33 +03:00
function checkStatus(response) {
2014-10-20 21:43:41 +04:00
if (response.status >= 200 & & response.status < 300 ) {
2015-04-14 00:17:05 +03:00
return response
2015-06-16 01:05:33 +03:00
} else {
var error = new Error(response.statusText)
error.response = response
throw error
2014-10-20 21:43:41 +04:00
}
}
2015-06-16 01:05:33 +03:00
function parseJSON(response) {
2014-10-20 21:43:41 +04:00
return response.json()
}
2014-10-20 11:47:11 +04:00
fetch('/users')
2015-06-16 01:05:33 +03:00
.then(checkStatus)
.then(parseJSON)
.then(function(data) {
console.log('request succeeded with JSON response', data)
2014-11-21 02:26:41 +03:00
}).catch(function(error) {
console.log('request failed', error)
2014-10-20 21:43:41 +04:00
})
2014-10-20 11:47:11 +04:00
```
2015-06-16 00:48:14 +03:00
#### Sending cookies
2018-07-26 00:31:59 +03:00
For [CORS][] requests, use `credentials: 'include'` to allow sending credentials
to other domains:
2015-06-16 00:48:14 +03:00
```javascript
2018-07-25 16:37:27 +03:00
fetch('https://example.com:1234/users', {
credentials: 'include'
2015-06-16 00:48:14 +03:00
})
```
2018-07-26 00:31:59 +03:00
The default value for `credentials` is "same-origin".
The default for `credentials` wasn't always the same, though. The following
versions of browsers implemented an older version of the fetch specification
where the default was "omit":
* Firefox 39-60
* Chrome 42-67
* Safari 10.1-11.1.2
If you target these browsers, it's advisable to always specify `credentials:
'same-origin'` explicitly with all fetch requests instead of relying on the
default:
```javascript
fetch('/users', {
credentials: 'same-origin'
})
```
2018-07-25 16:37:27 +03:00
2019-10-31 23:02:25 +03:00
Note: due to [limitations of
XMLHttpRequest](https://github.com/github/fetch/pull/56#issuecomment-68835992),
using `credentials: 'omit'` is not respected for same domains in browsers where
this polyfill is active. Cookies will always be sent to same domains in older
browsers.
2015-06-23 02:21:10 +03:00
#### Receiving cookies
2017-02-21 14:02:21 +03:00
As with XMLHttpRequest, the `Set-Cookie` response header returned from the
server is a [forbidden header name][] and therefore can't be programmatically
2015-06-23 02:21:10 +03:00
read with `response.headers.get()` . Instead, it's the browser's responsibility
to handle new cookies being set (if applicable to the current URL). Unless they
are HTTP-only, new cookies will be available through `document.cookie` .
2019-10-31 23:02:25 +03:00
#### Redirect modes
The Fetch specification defines these values for [the `redirect`
option](https://fetch.spec.whatwg.org/#concept-request-redirect-mode): "follow"
(the default), "error", and "manual".
Due to limitations of XMLHttpRequest, only the "follow" mode is available in
browsers where this polyfill is active.
2015-06-16 00:48:14 +03:00
#### Obtaining the Response URL
2015-01-11 03:25:22 +03:00
2015-06-16 01:17:39 +03:00
Due to limitations of XMLHttpRequest, the `response.url` value might not be
reliable after HTTP redirects on older browsers.
The solution is to configure the server to set the response HTTP header
`X-Request-URL` to the current URL after any redirect that might have happened.
It should be safe to set it unconditionally.
2015-01-11 03:25:22 +03:00
``` ruby
2015-06-16 01:17:39 +03:00
# Ruby on Rails controller example
2015-01-11 03:25:22 +03:00
response.headers['X-Request-URL'] = request.url
```
2015-06-16 01:17:39 +03:00
This server workaround is necessary if you need reliable `response.url` in
Firefox < 32 , Chrome < 37 , Safari , or IE .
2015-01-11 03:25:22 +03:00
2017-12-08 08:42:26 +03:00
#### Aborting requests
This polyfill supports
[the abortable fetch API ](https://developers.google.com/web/updates/2017/09/abortable-fetch ).
However, aborting a fetch requires use of two additional DOM APIs:
2018-05-23 17:15:48 +03:00
[AbortController ](https://developer.mozilla.org/en-US/docs/Web/API/AbortController ) and
2017-12-08 08:42:26 +03:00
[AbortSignal ](https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal ).
Typically, browsers that do not support fetch will also not support
2018-05-23 17:15:48 +03:00
AbortController or AbortSignal. Consequently, you will need to include
2020-07-31 01:55:09 +03:00
[an additional polyfill ](https://www.npmjs.com/package/yet-another-abortcontroller-polyfill )
2018-05-23 17:15:48 +03:00
for these APIs to abort fetches:
2017-12-08 08:42:26 +03:00
```js
2020-07-31 01:55:09 +03:00
import 'yet-another-abortcontroller-polyfill'
2018-05-23 17:15:48 +03:00
import {fetch} from 'whatwg-fetch'
2018-09-04 13:32:05 +03:00
// use native browser implementation if it supports aborting
const abortableFetch = ('signal' in new Request('')) ? window.fetch : fetch
2017-12-08 08:42:26 +03:00
const controller = new AbortController()
2018-09-04 13:32:05 +03:00
abortableFetch('/avatars', {
2017-12-08 08:42:26 +03:00
signal: controller.signal
2017-12-08 20:18:56 +03:00
}).catch(function(ex) {
if (ex.name === 'AbortError') {
console.log('request aborted')
}
2017-12-08 08:42:26 +03:00
})
// some time later...
2018-05-23 17:15:48 +03:00
controller.abort()
2017-12-08 08:42:26 +03:00
```
2014-10-13 03:26:22 +04:00
## Browser Support
2016-09-11 17:36:58 +03:00
- Chrome
- Firefox
- Safari 6.1+
- Internet Explorer 10+
2017-01-25 20:33:21 +03:00
Note: modern browsers such as Chrome, Firefox, Microsoft Edge, and Safari contain native
2016-11-09 17:30:22 +03:00
implementations of `window.fetch` , therefore the code from this polyfill doesn't
2016-11-15 09:27:17 +03:00
have any effect on those browsers. If you believe you've encountered an error
2016-09-25 15:15:54 +03:00
with how `window.fetch` is implemented in any of these browsers, you should file
2017-01-24 01:04:02 +03:00
an issue with that browser vendor instead of this project.
2016-11-09 17:30:22 +03:00
[fetch specification]: https://fetch.spec.whatwg.org
[cors]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
"Cross-origin resource sharing"
2016-11-09 17:30:53 +03:00
[csrf]: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
"Cross-site request forgery"
2016-11-09 17:30:22 +03:00
[forbidden header name]: https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name
2018-10-04 23:04:48 +03:00
[releases]: https://github.com/github/fetch/releases