Stack Overflow
Stack Overflow

Questions tagged [preflight]

A preflight is an HTTP OPTIONS request that browsers (automatically on their own) send to servers before trying certain kinds of cross-origin requests — in order to determine if a server has opted-in to receiving those kinds of requests.

See https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests

413 questions
586
votes
15 answers

Why is an OPTIONS request sent and can I disable it?

I am building a web API. I found whenever I use Chrome to POST, GET to my API, there is always an OPTIONS request sent before the real request, which is quite annoying. Currently, I get the server to ignore any OPTIONS requests. Now my question is…
user1663023
514
votes
9 answers

What is the motivation behind the introduction of preflight CORS requests?

Cross-origin resource sharing is a mechanism that allows a web page to make XMLHttpRequests to another domain (from Wikipedia). I've been fiddling with CORS for the last couple of days and I think I have a pretty good understanding of how everything…
Jan Groth
  • 14,039
  • 5
  • 40
  • 55
268
votes
14 answers

AngularJS performs an OPTIONS HTTP request for a cross-origin resource

I'm trying to setup AngularJS to communicate with a cross-origin resource where the asset host which delivers my template files is on a different domain and therefore the XHR request that angular performs must be cross-domain. I've added the…
matsko
  • 21,895
  • 21
  • 102
  • 144
195
votes
2 answers

How to filter (hide) Pre-flight requests on my Dev Tools Network

Normally both calls are shown, the pre-flight and the actual request. This is sometimes annoying. Is there a way to hide the pre-flights requests ? Or is there a plugin to filter certain requests based on headers ?
John Smith
  • 1,848
  • 3
  • 13
  • 24
134
votes
4 answers

Chrome not showing OPTIONS requests in Network tab

My web client application is setting HTTP POST requests via fetch API. I see that OPTIONS preflight requests are sent via debugging proxy (Charles Proxy), but they are not displayed in Google Chrome Developer Tools\Network tab. I don't have any…
Ubeogesh
  • 1,633
  • 2
  • 15
  • 22
108
votes
6 answers

How to skip the OPTIONS preflight request?

I had developed a PhoneGap app which is now being transformed to a mobile website. Everything works smoothly besides one small glitch. I use a certain third party API via a POST request, which works fine in the app, but fails in the mobile website…
Bram Vandewalle
  • 1,624
  • 3
  • 20
  • 29
80
votes
6 answers

How to resolve 'preflight is invalid (redirect)' or 'redirect is not allowed for a preflight request'

I have followed this step to setup my server to enable CORS. https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api But now in my browser dev console, I see this error message: XMLHttpRequest…
n179911
  • 19,547
  • 46
  • 120
  • 162
70
votes
8 answers

CORS error on request to localhost dev server from remote site

On Friday I had a working dev environment. On Monday I had a broken one. I encountered this error message in the Chrome dev-tools console for all my assets: Access to CSS stylesheet at 'http://localhost:8080/build/app.css' from origin…
tvanc
  • 3,807
  • 3
  • 25
  • 40
56
votes
9 answers

Go gin framework CORS

I'm using Go gin framework gin func CORSMiddleware() gin.HandlerFunc { return func(c *gin.Context) { c.Writer.Header().Set("Content-Type", "application/json") c.Writer.Header().Set("Access-Control-Allow-Origin", "*") …
qwertmax
  • 3,120
  • 2
  • 29
  • 42
50
votes
3 answers

What are proper status codes for CORS preflight requests?

What status code should a well-written HTTP server return when it gets a CORS preflight (OPTIONS) request? 200, 204 or something else? Should the status code be different in case origin is allowed (and corresponding headers will be set) or not…
Andrej
  • 1,679
  • 1
  • 26
  • 40
48
votes
0 answers

CORS OPTIONS preflight requests not showing in dev tools

How to get Safari to display CORS pre-flight OPTIONS requests in the dev tools network tab? IIRC they used to show up, and I know the requests are being made as we can see them logging on the server. We had the same problem suddenly occur with…
stringy05
  • 6,511
  • 32
  • 38
43
votes
5 answers

How to handle preflight CORS requests on a Go server

So I'm writing this RESTful backend in Go, which will be called with cross-site HTTP requests, i.e. from content served by another site (actually, just another port, but the same-origin policy kicks in, so here we are). In this scenario, the user…
ivarg
  • 755
  • 1
  • 8
  • 11
41
votes
1 answer

Why is there no preflight in CORS for POST requests with standard content-type

I'm a bit confused about the security aspects of CORS POST requests. I know there is a lot of information about this topic online, but I couldn't find a definite answer to my questions. If I understood it correctly, the goal of the same-origin…
sauerburger
  • 4,569
  • 4
  • 31
  • 42
31
votes
1 answer

CORS request with Preflight and redirect: disallowed. Workarounds?

I'm designing an API that allows the user to authenticate (using tokens) and that contains redirects within the same domain. Now, for an unauthenticated request to an endpoint that returns 303, GET /documents/123 --> 303 redirect to…
Nico Schlömer
  • 53,797
  • 27
  • 201
  • 249
26
votes
2 answers

Confused about how to handle CORS OPTIONS preflight requests

I'm new to working with Cross Origin Resource Sharing and trying to get my webapp to respond to CORS requests. My webapp is a Spring 3.2 app running on Tomcat 7.0.42. In my webapp's web.xml, I have enabled the Tomcat CORS filter: