← Lessons

quiz vs the machine

Platinum1740

Networking

CORS Simple vs Preflight

When a browser asks permission before a cross origin request.

6 min read · advanced · beat Platinum to climb

Crossing Origins Safely

The same origin policy blocks scripts from freely reading responses from another origin. CORS is the mechanism by which a server opts in to cross origin access using response headers, and the browser enforces it.

Simple Requests

A simple request is sent directly, and the browser checks the response afterward. A request qualifies as simple only if it uses a safe method like GET or POST, carries only allowed headers, and uses a basic content type. The server must return an Access Control Allow Origin header that matches, or the browser hides the response from the script.

Preflighted Requests

If a request is not simple, for example it uses a custom header or the DELETE method, the browser first sends a preflight using the OPTIONS method.

  • The preflight names the intended method and headers.
  • The server answers with the methods and headers it allows.
  • Only on approval does the browser send the real request.

Why Preflight Exists

Preflight protects servers that predate CORS by confirming consent before any state changing request reaches them.

Key idea

CORS lets a server opt into cross origin access, sending simple requests directly but requiring an OPTIONS preflight to confirm permission before non simple requests reach the server.

Check yourself

Answer to earn rating on the learn ladder.

1. What triggers a CORS preflight request?

2. Which header tells the browser a cross origin response may be read?

3. Why does preflight use the OPTIONS method?