CORS - What is the motivation behind introducing preflight requests?

Question

Cross-origin resource sharing is a mechanism that allows a web page to make XMLHttpRequests to another domain (from wikipedia).

I\'ve been fiddling with COR

Answer 1

Pre-flight requests are necessary for requests that can change state on the server. There are 2 types of requests -

1) Calls that cannot change state on the server (like GET) - The user might get a response for the request (if the server does not check for origin) but if the requesting domain is not added to the response header Access-Control-Allow-Origin, the browser does not show the data to the user, i.e., the request is sent from the browser but the user isn't able to view/make use of the response.

2) Calls that can change state on the server (like POST, DELETE) - Since in 1), we see that the browser doesn't block the request but the response, state changing calls should not be allowed to be made without prior checks. Such calls might make changes to a trusting server that does not check the origin of the calls (called Cross Site Request Forgery), even though the response to the browser might be a failure. For this reason, we have the concept of pre-flight requests that make an OPTIONS call before any state changing calls can be sent to the server.