CORS preflight request
A CORS preflight is an OPTIONS request asking whether a cross-origin method and request fields are permitted.
- cors
- preflight
- browsers
Definition
A CORS preflight is an OPTIONS request generated by the browser before certain
cross-origin requests. It advertises the intended method and non-safelisted field
names so the server can grant or deny them.
OPTIONS /records HTTP/1.1
Origin: https://app.example.invalid
Access-Control-Request-Method: QUERY
Access-Control-Request-Headers: content-type
Expected result: the actual request proceeds only if the preflight response supplies the required CORS permissions. Passing preflight does not replace the origin grant on the actual response.
Why it matters
The application script normally does not send preflight itself. Diagnose the
OPTIONS exchange and the intended request as two related but separate HTTP
transactions.
