0

Am using CORS in my application. In server am mentioning CORS origin as www.test.com and HTTP method as POST.

My client is running under the origing www.test.com and am calling GET method from my client. According to CORS policy it should not return the response since HTTP methods are different but still it is returning the result.

Why CORS is not matching HTTP methods for Non pre-flight methods

karthikraja
  • 457
  • 1
  • 5
  • 8
  • 1
    so that GET method does not trigger preflight request since it's not required, do I understand correctly? – skyboyer Nov 02 '18 at 07:12
  • 1
    As @skyboyer notes, a GET request doesn’t trigger browsers to do a preflight — unless that GET request sets custom headers. So if the browser does no preflight, then the Access-Control-Allow-Methods header takes no part in the protocol. In other words, Access-Control-Allow-Methods is only used in preflighted requests. – sideshowbarker Nov 02 '18 at 08:05
  • Hi @skyboyer thanks for your interest, I went through system.web.cors code where i found the same as you said if it is not preflight request they are not matching HTTP methods only they are matching origin. I want to mention this in document , so is there any article available to show this? – karthikraja Nov 02 '18 at 10:08
  • I believe there is another reason: it's up to browser to decide whether to run preflight response or not. It's done based [on some conditions](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#What_requests_use_CORS). So if browser decided request is _simple_(it's a term here, check the link) it does not send preflight OPTIONS request. if there is no preflight request server does not respond with `access-control-allow-methods`. So finally browser does not get this header so there is no rejection. I believe it's that happens. – skyboyer Nov 02 '18 at 10:45
  • If you want to reject GET requests for some endpoint you should use some other server's config/mechanism instead of CORS. I believe it could be somewhere in router to return `405 Method Not Allowed` – skyboyer Nov 02 '18 at 10:45

0 Answers0