Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You can do GET & POST requests without preflight.

The logic behind this is: It was possible to do this before the introduction of those APIs anyway - but you could not read the response.

You could send a GET request by, for example, embedding an image. And you could send a POST request by submitting a form - even if the form did only consist of hidden elements.

Those are called "simple requests": https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/COR...

It is expected from web application that they can correctly handle those requests, even when they were sent from a different origin (for example, blocking them by using a CSRF token).

It was however not expected that existing web applications could handle non-simple requests - as the ability to do so was restricted either to command line tools or required other user interaction/configuration. This is where the preflight request comes in - send an OPTIONS to check if the other side is okay with that kind of request.

But what CORS do is: It can make the response available to the requesting script - the request did already happen if it didn't require a preflight.



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: