2

I have front-end part (js) on http://example.com and back-end (REST API) on http://api.example.com. Is it possible to make requests to back-end without OPTIONS request before each GET/POST etc request?

Crabar
  • 1,829
  • 1
  • 14
  • 26
  • Possible duplicate of http://stackoverflow.com/questions/6277926/javascript-access-from-parent-domain-to-subdomain – Jyothi Babu Araja Dec 27 '16 at 14:55
  • It is not duplicate. CORS already configured and working properly. But it adds some lag for each request, because it sends OPTIONS request before each request. So now I'm looking for a way to get rid of CORS. – Crabar Dec 27 '16 at 14:59
  • For `CORS` request `OPTIONS` is mandatory. The time for `OPTIONS` is cosmetic. I mean won't take much time. – Jyothi Babu Araja Dec 27 '16 at 15:02
  • It takes 250ms on each OPTIONS request in my case (server physically pretty far from client). – Crabar Dec 27 '16 at 15:16

1 Answers1

3

You cannot get rid of the OPTIONS request unleess you don't send any data, and don't send custom headers.

According to Why am I getting an OPTIONS request instead of a GET request?

The OPTIONS request will be made if you send data with Content-Type other than application/x-www-form-urlencoded, multipart/form-data, or text/plain.

Also, as stated there, the OPTIONS request will be made if you send custom headers.

So in order to avoide the preflight, you'll be forced to NOT do any of those things.

This is all because the idea is to first check if it the CORS will be allowed or not and you don't send any data to a server that you don't want to send.

Community
  • 1
  • 1
Pablo Matias Gomez
  • 6,614
  • 7
  • 38
  • 72
  • Can I found somewhere a list of "non-custom" headers? For example, I'm using `WWW-Authenticate`, is it counts like custom? – Crabar Dec 27 '16 at 15:19
  • That is not a custom header. You could check here https://en.wikipedia.org/wiki/List_of_HTTP_header_fields – Pablo Matias Gomez Dec 27 '16 at 15:21
  • Could you give me a tip, what is wrong with my GET request? https://gist.github.com/Crabar/25308f5b9e283c65b258d2402757a9da – Crabar Dec 27 '16 at 15:30
  • What type of request are you making? `POST` with body? – Pablo Matias Gomez Dec 27 '16 at 15:34
  • GET without body. Don't look at ContentType I added it just to check if this change something. – Crabar Dec 27 '16 at 15:38
  • I found [this doc](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS). There are small list of supported headers. It doesn't contain `Authenticate` for example. – Crabar Dec 27 '16 at 15:41