Understanding CORS: Preflighting Requests
Cross-Origin Resource Sharing (CORS) involves enabling controlled access to resources from different origins. To accomplish this, browsers implement a "preflight" mechanism to verify if a request is allowed. Here's how to implement preflighting an HTTP request correctly:
Server Response with Access-Control-Allow-Origin Header
As mentioned, the server must add the "Access-Control-Allow-Origin" header with an appropriate value (e.g., "*" to allow all origins) to its response. This header grants permission for the request.
Preflighting with the OPTIONS Request
To preflight a request, the browser sends an additional request using the HTTP OPTIONS method before the actual request. This request includes the following headers:
Server Response to Preflight Request
The server should acknowledge these preflight headers in its response. If the request is allowed, the response should include:
Crucially, the "Access-Control-Allow-Headers" header must not have a value of "*", but it should match the headers specified in the "Access-Control-Request-Headers" header.
Once the server sends this response to the preflight request, the browser will make the actual request.
Additional Resources
For further comprehensive information on CORS, refer to the HTML5 Rocks documentation at: http://www.html5rocks.com/en/tutorials/cors/
The above is the detailed content of How Does CORS Preflighting Verify Request Permissions?. For more information, please follow other related articles on the PHP Chinese website!