OPTIONS
The OPTIONS
method is a HTTP
method, which is used to find out the allowed request options for certain resources for a server, so this request is made before the others to discover permissions that you accept.
In this request, the server returns a list of headers containing some data, but may also return an error if it has no requests for the resources.
This can be done in two ways, the first one is specifying a URL
in the request, for a specific analysis:
OPTIONS /index.html HTTP/1.1
The other way is to indicate with an asterisk (*), which refers to resources as a whole:
OPTIONS * HTTP/1.1
This request is initially made to discover the permissions offered for the resources, so you can use the other requests without returning an error.
For a simple request, you can use CURL
to send this confirmation request, for example:
curl -X OPTIONS http://index.html -i
In this request, by default, if there are permissible fields, the server will return a header of type Allow
, which indicates which methods you accept and have request permission, but returning the data only as information:
HTTP/1.1 200 OK
Allow: OPTIONS, GET, HEAD, POST
Cache-Control: max-age=604800
Date: Thu, 13 Oct 2016 11:45:00 GMT
Expires: Thu, 20 Oct 2016 11:45:00 GMT
Server: EOS (lax004/2813)
x-ec-custom-error: 1
Content-Length: 0
If you do not have allowed requests, the server will return an empty header, which may temporarily occur for some resource.
The OPTIONS
information is only made in this request to inform which methods you accept to do. It is not used for shipping confirmation.
CORS
It is a specification used to define resource exchanges between browser and server, in a secure way, not allowing scripts to make cross-source requests.
A request, made with CORS
, is used to know if the server allows a specific request type, informing the parameters to be analyzed, that is, a "custom" permission check is done for the server. / p>
Here has a list of CORS
headers that can be used
on a request.
An example, a request is created to know if a specific request that uses POST
and has custom headers is accepted. Headers Access-Control-Request-Method
, POST
and Access-Control-Request-Headers
, are used for custom headers:
OPTIONS /resources/post-here/ HTTP/1.1
Host: bar.other
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Origin: http://foo.example
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-PINGOTHER, Content-Type
From this "custom" request, the server parses and if allowed, will return with the headers, informing if the headers of the specified fields can be requested. This response is similar to a Allow
response.
HTTP/1.1 200 OK
Date: Mon, 01 Dec 2008 01:15:39 GMT
Server: Apache/2.0.61 (Unix)
Access-Control-Allow-Origin: http://foo.example
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
Access-Control-Max-Age: 86400
Vary: Accept-Encoding, Origin
Content-Encoding: gzip
Content-Length: 0
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/plain
The CORS
mechanism supports cross-source secure requests, which are requests with source (domain, protocol, and port) different from their own source. With this, the request goes through the authentication made by the server and returns the result, to request a cross request from there.
In a request with CORS
, the browser makes a request, where specific headers are passed, for example a Access-Control-Request-Method
header, which will request methods that are allowed and the server will respond with Access-Control-Allow-Methods
, or the browser will ask for a confirmation, the server responds with a header, informing what is allowed and with the return, the browser checks the returned data, if compatible, the browser will release the cross request between different domains. >
Compatibility
All browsers have basic support for this type of request, both mobile and desktop browsers:
MoreReading