7

I use backbone.js' s model. When i save the model, it sends HTTP OPTIONS method to server-side on firefox, but sends HTTP POST method with safari.

I know it is not an issue about backbone.js, it is about CORS. I will just check if method, GET, POST, PUT and DELETE on server-side, i will not do a job with HTTP OPTIONS method.

my requested url is my api: api.foo.com and api requested from: bar.com

so, how can i control in all browsers request my api.foo.com with HTTP POST not OPTIONS? and how can i share api.foo.com' s content with all request from any other domains?

Note: i have already changed response' s headers from server-side to: Access-Control-Allow-Origin: *

Gumbo
  • 643,351
  • 109
  • 780
  • 844
Mehmet Davut
  • 667
  • 10
  • 30

1 Answers1

7

The OPTIONS request is actually the so called preflight request of the CORS specification. This preflight request is used by web browsers to check under what conditions the server would accept a request from the respective origin. If the response to the preflight request was satisfying, the browser will send the actual request.

So to comply with this specification, you need your server to reproduce the steps of preflight request processing.

Gumbo
  • 643,351
  • 109
  • 780
  • 844
  • So, how can i set browser to not check under what conditions the server would accept a request? and it will check before every post request? Because, i want every browser which execute my javascript send just POST method to my server-side script – Mehmet Davut Dec 01 '11 at 14:44
  • @davit You can’t. Cross-origin requests were not able with the [original XHR](http://www.w3.org/TR/XMLHttpRequest/) due to security reasons ([CSRF](https://www.owasp.org/index.php/Cross-Site_Request_Forgery)). The [XHR level 2](http://www.w3.org/TR/XMLHttpRequest2/) made it possible but with the requirement to comply to the CORS specification. – Gumbo Dec 01 '11 at 15:21
  • @davit And although GET is said to be a [simple method](http://www.w3.org/TR/cors/#simple-method), a [simple cross-origin request](http://www.w3.org/TR/cors/#simple-cross-origin-request) is only possible if the *force preflight flag* is false (i. e. it’s not a *XMLHttpRequestUpload* request) and there are no other header fields in the request than [simple header fields](http://www.w3.org/TR/cors/#simple-header). – Gumbo Dec 01 '11 at 15:22
  • thanks for informations, i will read all the pages you shared. These seems a little complex. I want to ask, last thing, do you have any idea, how the Facebook does this with their javascript sdk? – Mehmet Davut Dec 01 '11 at 15:29
  • @davit Their servers probably implement the preflight request processing instructions. – Gumbo Dec 01 '11 at 15:38