I'm issuing a simple CORS request, to a cross-origin resource. I assumed as it is a POST request, with a parameter, it would classify as a simple CORS request, and therefore not need a pre-flight call. But it looks to not be the case.
Also, Unfortunately because I am using .NET Web API, any simple data-type has to be passed on the query string in a Post request.
Using angular $http for post.
OPTIONS:
Request URL:
Request Method:OPTIONS
Status Code:200 OK
Request Headersview source
Accept:*/*
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:accept, content-type
Access-Control-Request-Method:POST
Cache-Control:no-cache
Connection:keep-alive
Host:api.local.foundation
Origin:
Pragma:no-cache
Referer:/
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Query String Parametersview sourceview URL encoded
key:null
POST:
Request URL:
Request Method:POST
Status Code:200 OK
Request Headersview source
Accept:application/json, text/plain, */*
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:no-cache
Connection:keep-alive
Content-Length:0
Content-Type:application/json;charset=utf-8
Host:api.local.foundation
Origin:
Pragma:no-cache
Referer:/
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Query String Parametersview sourceview URL encoded
key:null
I'm issuing a simple CORS request, to a cross-origin resource. I assumed as it is a POST request, with a parameter, it would classify as a simple CORS request, and therefore not need a pre-flight call. But it looks to not be the case.
Also, Unfortunately because I am using .NET Web API, any simple data-type has to be passed on the query string in a Post request.
Using angular $http for post.
OPTIONS:
Request URL:http://api.local.foundation./account/LoginAutomatically?key=null
Request Method:OPTIONS
Status Code:200 OK
Request Headersview source
Accept:*/*
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:accept, content-type
Access-Control-Request-Method:POST
Cache-Control:no-cache
Connection:keep-alive
Host:api.local.foundation.
Origin:http://www.local.foundation.
Pragma:no-cache
Referer:http://www.local.foundation./
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Query String Parametersview sourceview URL encoded
key:null
POST:
Request URL:http://api.local.foundation./account/LoginAutomatically?key=null
Request Method:POST
Status Code:200 OK
Request Headersview source
Accept:application/json, text/plain, */*
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:no-cache
Connection:keep-alive
Content-Length:0
Content-Type:application/json;charset=utf-8
Host:api.local.foundation.
Origin:http://www.local.foundation.
Pragma:no-cache
Referer:http://www.local.foundation./
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Query String Parametersview sourceview URL encoded
key:null
-
1
The preflight OPTIONS request is necessary for all CORS. The
Access-Control-*headers are what the client looks for before proceeding. A request is a request, no matter how 'simple'. – danronmoon Commented Jan 3, 2014 at 21:43 - 1 @danronmoon OPTIONS is not necessary for all of CORS. It is only sent ahead of "non-simple" CORS requests. The CORS spec defines a simple CORS request. – Ray Nicholus Commented Jan 3, 2014 at 21:50
1 Answer
Reset to default 6Your CORS request is preflighted due to the Content-Type of your request. "application/json" makes your request a "non-simple" CORS request, thus it is preflighted. If the Content-Type of your request was, say, "text/plain", it would not be preflighted in this case.