http - Why aren't POST requests always preflighted? -
according mdn, post requests not preflighted if content-type of application/x-www-form-urlencoded
, multipart/form-data
, or text/plain
.
but isn't multipart/form-data
unsafe application/xml
? instance expect cross-origin post requests url http://bank.com/money-orders/
disallowed, regardless of content type endpoint accepts.
because: before cors ever conceived of, possible send cross-origin post request by, e.g., web page 1 origin sending origin results user filling out form on page @ 1 origin , clicking submit button send origin.
so, basically, cors doesn’t change behavior—it doesn’t prevent or disallow it, because possible , allowed before cors came along.
back though, there no way send custom headers in such post request. cors makes possible that—to make new kind of request servers hadn’t seen or had deal with. so, purpose of preflight server, here’s new type of post (or get) must indicate you’re opting-in , ok (or new method).
but heads-up server not necessary if post request not different kind of simple post requests have been allowed on web already.
Comments
Post a Comment