Before sending any requests to the server, browsers automatically send a request of type OPTIONS to know some information about the server
What information does the server need to send? Only CORS headers?
Should this information be sent only in these requests or in the others as well? (for compatibility with older browsers or something)
Do these requests need to be authenticated?
I found this question where it says just a not very specific phrase of what should be returned
The OPTIONS method is a HTTP method, which is used to find out the allowed request options for certain resources for a server, so this request is made before the others to discover permissions that you accept.
In this request, the server returns a list of headers containing some data, but may also return an error if it has no requests for the resources.
This can be done in two ways, the first one is specifying a URL in the request, for a specific analysis:
OPTIONS /index.html HTTP/1.1
The other way is to indicate with an asterisk (*), which refers to resources as a whole:
OPTIONS * HTTP/1.1
This request is initially made to discover the permissions offered for the resources, so you can use the other requests without returning an error.
For a simple request, you can use CURL to send this confirmation request, for example:
curl -X OPTIONS http://index.html -i
In this request, by default, if there are permissible fields, the server will return a header of type Allow , which indicates which methods you accept and have request permission, but returning the data only as information:
HTTP/1.1 200 OK
Allow: OPTIONS, GET, HEAD, POST
Cache-Control: max-age=604800
Date: Thu, 13 Oct 2016 11:45:00 GMT
Expires: Thu, 20 Oct 2016 11:45:00 GMT
Server: EOS (lax004/2813)
x-ec-custom-error: 1
Content-Length: 0
If you do not have allowed requests, the server will return an empty header, which may temporarily occur for some resource.
The OPTIONS information is only made in this request to inform which methods you accept to do. It is not used for shipping confirmation.
It is a specification used to define resource exchanges between browser and server, in a secure way, not allowing scripts to make cross-source requests.
A request, made with CORS , is used to know if the server allows a specific request type, informing the parameters to be analyzed, that is, a "custom" permission check is done for the server. / p>
Here has a list of
CORSheaders that can be used on a request.
An example, a request is created to know if a specific request that uses POST and has custom headers is accepted. Headers Access-Control-Request-Method , POST and Access-Control-Request-Headers , are used for custom headers:
OPTIONS /resources/post-here/ HTTP/1.1
Host: bar.other
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Origin: http://foo.example
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-PINGOTHER, Content-Type
From this "custom" request, the server parses and if allowed, will return with the headers, informing if the headers of the specified fields can be requested. This response is similar to a Allow response.
HTTP/1.1 200 OK
Date: Mon, 01 Dec 2008 01:15:39 GMT
Server: Apache/2.0.61 (Unix)
Access-Control-Allow-Origin: http://foo.example
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
Access-Control-Max-Age: 86400
Vary: Accept-Encoding, Origin
Content-Encoding: gzip
Content-Length: 0
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/plain
The CORS mechanism supports cross-source secure requests, which are requests with source (domain, protocol, and port) different from their own source. With this, the request goes through the authentication made by the server and returns the result, to request a cross request from there.
In a request with CORS , the browser makes a request, where specific headers are passed, for example a Access-Control-Request-Method header, which will request methods that are allowed and the server will respond with Access-Control-Allow-Methods , or the browser will ask for a confirmation, the server responds with a header, informing what is allowed and with the return, the browser checks the returned data, if compatible, the browser will release the cross request between different domains. >
All browsers have basic support for this type of request, both mobile and desktop browsers:
