Sending preflight requests

Sending preflight requests With CORS, if your request method is something other than GET, POST, or HEAD, or if you’re sending a custom HTTP header, the browser will make what’s called a preflight request. A preflight request is a server verification mechanism that allows both parties to decide whether the attempt is legitimate before performing the actual request. To notify the server about the upcoming request and ask for permission, the client sends the following headers: Origin—The origin of the request Access-Control-Request-Method—The intended HTTP method of the request Access-Control-Request-Headers—A comma-separated list of custom headers that the request wants to use The server then communicates back to the client by sending the following headers with the response: Access-Control-Allow-Origin—The allowed origin (must match the Origin header from the request) Access-Control-Allow-Methods—A comma-separated list of allowed methods Access-Control-Allow-Headers—A comma-separated list of allowed headers Access-Control-Max-Age—The amount of time (in seconds) that this preflight request should be cached for Access-Control-Allow-Credentials—Indicates whether the requested resource supports credentialed requests (optional) Example: a failed CORS request with not-allowed custom header source code: $.ajax({ type: 'GET', url: 'http://json.chunghe.me/list/page/0', headers: {"hello": "world"} }).done(function(a){ console.log(a) }) request header Accept:*/* Accept-Encoding:gzip,deflate,sdch Accept-Language:zh-TW,zh;q=0.8,en-US;q=0.6,en;q=0.4 Access-Control-Request-Headers:accept, hello, origin Access-Control-Request-Method:GET Connection:keep-alive Host:json.chunghe.me Origin:http://fiddle.jshell.net Referer:http://fiddle.jshell.net/_display/ User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36 Response Headersview source response: Access-Control-Allow-Credentials:true Access-Control-Allow-Headers:X-Requested-With Access-Control-Allow-Methods:GET, POST, OPTIONS, DELETE Access-Control-Allow-Origin:* Access-Control-Max-Age:1728000 Connection:keep-alive Content-Length:0 Content-Type:text/plain Date:Wed, 24 Jul 2013 06:47:48 GMT Server:nginx/1.2.1 X-Powered-By:Express console OPTIONS http://json.chunghe.me/list Request header field hello is not allowed by Access-Control-Allow-Headers. jquery-1.9.1.js:8526 XMLHttpRequest cannot load http://json.chunghe.me/list. Request header field hello is not allowed by Access-Control-Allow-Headers. Example: a success CORS request with not-allowed custom header source $.ajax({ type: 'GET', url: 'http://json.chunghe.me/list/page/0', headers:{'X-Requested-With':'XMLHttpRequest'} }).done(function(a){ console.log(a) }) first request (preflight) Request URL:http://json.chunghe.me/list/page/0 Request Method:OPTIONS Status Code:200 OK request: Accept:*/* Accept-Encoding:gzip,deflate,sdch Accept-Language:zh-TW,zh;q=0.8,en-US;q=0.6,en;q=0.4 Access-Control-Request-Headers:accept, origin, x-requested-with Access-Control-Request-Method:GET Connection:keep-alive Host:json.chunghe.me Origin:http://fiddle.jshell.net Referer:http://fiddle.jshell.net/_display/ User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36 response: Access-Control-Allow-Credentials:true Access-Control-Allow-Headers:X-Requested-With Access-Control-Allow-Methods:GET, POST, OPTIONS, DELETE Access-Control-Allow-Origin:* Access-Control-Max-Age:1728000 Connection:keep-alive Content-Length:0 Content-Type:text/plain Date:Wed, 24 Jul 2013 06:52:10 GMT Server:nginx/1.2.1 X-Powered-By:Express second request(actual request) Request URL:http://json.chunghe.me/list/page/0 Request Method:GET Status Code:200 OK request: Accept:*/* Accept-Encoding:gzip,deflate,sdch Accept-Language:zh-TW,zh;q=0.8,en-US;q=0.6,en;q=0.4 Connection:keep-alive Host:json.chunghe.me Origin:http://fiddle.jshell.net Referer:http://fiddle.jshell.net/_display/ User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36 X-Requested-With:XMLHttpRequest response: Access-Control-Allow-Origin:* Connection:keep-alive Content-Length:575 Content-Type:application/json Date:Wed, 24 Jul 2013 06:52:10 GMT Server:nginx/1.2.1 X-Powered-By:Express