Origins made up of three parts the data scheme, the hostname and the prot.
It is important to know that it is user broswere enforces the same origin policy, it is the client browser not allow you send the different origin request not the server.
CROS:
Client side send the request, server side will check wheterh "Access-Control-Allow-Origin" is the same as "Referer".
One problem for this is request is already send to server, include all the data. What we want is from client side, we just sent the min-info to check the CROS, instead of sending business data.
So there is Preflight request comes in to play.
Preflight request:
It sends OPTIONS methoda and with "Referer", so server only needs to check "Referer" and return "ACAO".
To check whether a request is a Preflight request, you need to see whether it has "OPTIONS" method in the request head.
But notice, if a request is come from a form , then it cannot be preflight. See MORE
Preflighted requests
Unlike simple requests (discussed above), "preflighted" requests first send an HTTP request by the
OPTIONSmethod to the resource on the other domain, in order to determine whether the actual request is safe to send. Cross-site requests are preflighted like this since they may have implications to user data. In particular, a request is preflighted if:
- It uses methods other than
GET, HEADorPOST. Also, ifPOSTis used to send request data with a Content-Type other thanapplication/x-www-form-urlencoded,multipart/form-data, ortext/plain, e.g. if thePOSTrequest sends an XML payload to the server usingapplication/xmlortext/xml, then the request is preflighted.- It sets custom headers in the request (e.g. the request uses a header such as
X-PINGOTHER)