HTTP Preflight Request


 Preflight Request, According to the definition on MDN,

"A CORS preflight request is a CORS request that checks to see if the CORS protocol is understood."

When front-end sends a CORS request, the browser automatically issues an OPTIONS request which is used to find the options and methods that the requested server supports. The OPTIONS will send "Access-Control-Request-Method", "Access-Control-Request-Headers", and "Origin" headers. The front end developer don't need to fire this request directly.

For example, when a client of domainA sends an XMLHttpRequest  POST request to domainB server, the browser first sends an OPTIONS request to domainB to see if domainB allows domainA to access its resource.  domainB may respond something like the following if it allows the access from domainA.

HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://domainA.com
Access-Control-Allow-Methods: POST, GET
Access-Control-Max-Age: 86400
...

The browser sees that it is allowed to POST and GET resource from domainB, it sends the actual POST request to domainB server. The serverB must inlcude the "Access-Control-Allow-Origin" header in its response. If the serverB does include it  in its response, the browser receives the response and intercepts it so that the front-end (the code that fires the XMLHttpRequest) doesn't receive it.

For detail, see 

HTTP access control (CORS)

Cross Origin Resource Sharing

 




  


Comments:

Write a comment
Anonymous

Captcha image

Reload

Type the number you see in the image above: