0

I know that only in some specific cases, the browser won't send the preflight first.But when I'm on the some other site page and made a request in the Chrome dev tools like that :

$.get('http://127.0.0.1:8080/hello')

Then There would be two request sended:

1

2

I tried the fetch API as well, and it just worked the same way. I wonder why it would send a preflight, even though I just do a simple request.

vimuth
  • 5,064
  • 33
  • 79
  • 116
n1nja88888
  • 66
  • 6
  • I assume the url in the browser is not `http://127.0.0.1:8080` – epascarello Mar 04 '23 at 14:24
  • https://stackoverflow.com/questions/15381105/what-is-the-motivation-behind-the-introduction-of-preflight-cors-requests – epascarello Mar 04 '23 at 14:25
  • At least related: https://stackoverflow.com/questions/41679725/preflight-request-is-sent-with-all-methods – T.J. Crowder Mar 04 '23 at 14:50
  • If I do that from the console of a page whose origin `http://localhost` (and I have something running on `http://localhost:8080`), I **don't** get a preflight (OPTIONS) request made, either with `fetch` or with jQuery's `get`. If I do it from the console here on this page, I **do** get a preflight. I thought it might be [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP), but if so, I haven't figured out what aspect of it it doing it. – T.J. Crowder Mar 04 '23 at 15:03
  • of course it won't send a preflight when it's under the same origin site, considering that this is about CORS. The point is that when I'm on some other site and send a request to localhost, it still sends a preflight first, even if this request is considered to be simple request and complied to all the restriction of simple request. – n1nja88888 Mar 04 '23 at 15:34
  • @n1nja88888 - Please read my comment again. `http://localhost` and `http://localhost:8080` are **different** origins. – T.J. Crowder Mar 04 '23 at 15:36
  • 1
    @T.J. Crowder sorry, I just noticed. I followed your steps on my computer. It worked the same way. It's quite confusing. – n1nja88888 Mar 04 '23 at 15:50

1 Answers1

2

When you make a CORS request (even a simple request like $.get) from a site on the public internet to a site in a "more private" address space like 127.0.0.1, a preflight request with Access-Control-Request-Private-Network: true is sent first, see this blog.

Heiko Theißen
  • 12,807
  • 2
  • 7
  • 31
  • Ah, that makes good sense... And sure enough, if I request something local from the console opened on this very page, I get an OPTIONS request, but if I request something from my site on the 'net, I don't. – T.J. Crowder Mar 04 '23 at 17:14