Observe a CORS preflight

Observe how a browser asks permission for a method and fields before sending the intended request.

  • cors
  • preflight
  • browsers

Prediction

Adding one fixed non-safelisted request field should make the browser send OPTIONS before the intended request.

Controlled observation

The future UI will show preflight and actual exchanges separately for fixed preview origins, without accepting an Origin value from the user.

Explanation

Preflight asks whether an origin may use the intended method and fields. A successful HTTP response still needs compatible CORS sharing fields.

Controlled exercise

Run this observation

Compare the simple GET with the POST whose fixed non-safelisted field causes a browser OPTIONS preflight.

Ready. No request has run.

Controlled request

Method
GET
URL
https://lab.httpclarity.com/v1/cors-preflight/simple
Permitted headers
None
Body
None

Browser-observed response

No response yet. The explanation and examples remain useful without JavaScript or the Worker.

Timing is browser elapsed time. Fetch hides Set-Cookie, raw wire bytes, reliable compressed size, and some redirect details.

Portable examples

cURL

              'curl' '--include' '--request' 'GET' 'https://lab.httpclarity.com/v1/cors-preflight/simple'
            

Fetch API

              const response = await fetch("https://lab.httpclarity.com/v1/cors-preflight/simple", {
  "method": "GET"
});
console.log(response.status, await response.text());
            

PHP

              <?php
$options = ['http' => [
    'method' => 'GET',
    'ignore_errors' => true,
]];
$context = stream_context_create($options);
$body = file_get_contents('https://lab.httpclarity.com/v1/cors-preflight/simple', false, $context);
var_dump($http_response_header, $body);
            

Need a full API client? Copy the generated cURL command, then import it in Hoppscotch. HTTPClarity sends no request data to Hoppscotch.

Continue in Hoppscotch (opens in a new tab)

Primary sources