In Cors, Are Post Request With Credentials Pre-flighted ?
Solution 1:
Preflight requests are intended to stop the browser from sending certain kinds of requests to a server unless the server explicitly allows it. However, browsers could already send credentialed POST requests directly to the server prior to the advent of CORS support.
The "Security Considerations" part of the CORS spec says (emphasis mine):
Simple cross-origin requests generated outside this specification (such as cross-origin form submissions using GET or POST or cross-origin GET requests resulting from script elements) typically include user credentials, so resources conforming to this specification must always be prepared to expect simple cross-origin requests with credentials.
In other words, the ability to have credentialed POST requests reach the server without a preflight is nothing new: developers have been able to make it happen ever since browsers supported <form>
s. Therefore, there is no benefit to requiring a preflight for Ajax that includes credentialed POST requests.
Post a Comment for "In Cors, Are Post Request With Credentials Pre-flighted ?"