CORS: what's the purpose of Simple Request?

Question

From Mozilla's documentation, there are three CORS scenarios:

1. Simple requests
2. Preflighted request
3. Request with credentials

Simple Requests has some disadvantages, for example, when the client declares withCredentials, even though the server refuses, the HTTP request with the cookie has been sent, which could be an attack.

The Preflighted request is much safer, and could cover all kinds of scenarios. Why people invent Simple Requests, even though pre-flighted requests could meet all requirements?

Reference

1. What exactly does the Access-Control-Allow-Credentials header do?

Answer 1

The simple explanation is that 'Simple requests' came before CORS existed.

XMLHTTPRequest only allowed requests to same origin, or requests to different origins if that request did not introduce security issues that did not already exist.

For example, it's possible to do a POST request via a HTML <form> to a different origin, but you can't programmatically read the response.

So given that this was already possible, it made sense that that restriction also did not exist in XMLHTTPRequest.

Years later, when CORS came along it was important that backwards compatibility for those old cross-origin requests was not broken. If suddenly those requests also required CORS headers, it would break scripts that depended on it.

I wrote more about this topic, CORS and no-cors here: https://evertpot.com/no-cors/ for additional background.