← Lessons

quiz vs the machine

Gold1400

Frontend

CORS Preflight Deep

How the browser asks permission with an OPTIONS request before sending certain cross origin calls.

6 min read · core · beat Gold to climb

What it is

Cross origin resource sharing is how a server opts in to letting a page from another origin read its responses. The browser enforces it; the server grants it through response headers.

Simple versus preflighted

  • A simple request uses a basic method and headers and is sent directly. The browser then checks the allow origin header before exposing the response.
  • A preflighted request is sent first as an OPTIONS call when the method or headers are non simple, such as a custom header or a PUT.

The preflight exchange

  • The browser sends OPTIONS with Access Control Request Method and headers.
  • The server replies with Access Control Allow Origin, allowed methods, and allowed headers.
  • If the reply permits it, the real request follows.

Credentials

To send cookies cross origin the server must set Allow Credentials true and cannot use a wildcard origin. The origin must be echoed explicitly.

Key idea

CORS lets a server opt in to cross origin reads; non simple requests trigger an OPTIONS preflight that must be approved first.

Check yourself

Answer to earn rating on the learn ladder.

1. What triggers a CORS preflight?

2. What is required to send cookies on a cross origin request?