What should the server return in an OPTIONS request?

11

Before sending any requests to the server, browsers automatically send a request of type OPTIONS to know some information about the server

What information does the server need to send? Only CORS headers?

Should this information be sent only in these requests or in the others as well? (for compatibility with older browsers or something)

Do these requests need to be authenticated?

I found this question where it says just a not very specific phrase of what should be returned

    
asked by anonymous 26.10.2018 / 13:43

1 answer

7

OPTIONS

The OPTIONS method is a HTTP method, which is used to find out the allowed request options for certain resources for a server, so this request is made before the others to discover permissions that you accept.

In this request, the server returns a list of headers containing some data, but may also return an error if it has no requests for the resources.

This can be done in two ways, the first one is specifying a URL in the request, for a specific analysis:

OPTIONS /index.html HTTP/1.1

The other way is to indicate with an asterisk (*), which refers to resources as a whole:

OPTIONS * HTTP/1.1

This request is initially made to discover the permissions offered for the resources, so you can use the other requests without returning an error.

For a simple request, you can use CURL to send this confirmation request, for example:

curl -X OPTIONS http://index.html -i

In this request, by default, if there are permissible fields, the server will return a header of type Allow , which indicates which methods you accept and have request permission, but returning the data only as information:

HTTP/1.1 200 OK
Allow: OPTIONS, GET, HEAD, POST
Cache-Control: max-age=604800
Date: Thu, 13 Oct 2016 11:45:00 GMT
Expires: Thu, 20 Oct 2016 11:45:00 GMT
Server: EOS (lax004/2813)
x-ec-custom-error: 1
Content-Length: 0

If you do not have allowed requests, the server will return an empty header, which may temporarily occur for some resource.

The OPTIONS information is only made in this request to inform which methods you accept to do. It is not used for shipping confirmation.

CORS

It is a specification used to define resource exchanges between browser and server, in a secure way, not allowing scripts to make cross-source requests.

A request, made with CORS , is used to know if the server allows a specific request type, informing the parameters to be analyzed, that is, a "custom" permission check is done for the server. / p>

  

Here has a list of CORS headers that can be used   on a request.

An example, a request is created to know if a specific request that uses POST and has custom headers is accepted. Headers Access-Control-Request-Method , POST and Access-Control-Request-Headers , are used for custom headers:

OPTIONS /resources/post-here/ HTTP/1.1 
Host: bar.other 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-us,en;q=0.5 
Accept-Encoding: gzip,deflate 
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 
Connection: keep-alive 
Origin: http://foo.example 
Access-Control-Request-Method: POST 
Access-Control-Request-Headers: X-PINGOTHER, Content-Type

From this "custom" request, the server parses and if allowed, will return with the headers, informing if the headers of the specified fields can be requested. This response is similar to a Allow response.

HTTP/1.1 200 OK
Date: Mon, 01 Dec 2008 01:15:39 GMT 
Server: Apache/2.0.61 (Unix) 
Access-Control-Allow-Origin: http://foo.example 
Access-Control-Allow-Methods: POST, GET, OPTIONS 
Access-Control-Allow-Headers: X-PINGOTHER, Content-Type 
Access-Control-Max-Age: 86400 
Vary: Accept-Encoding, Origin 
Content-Encoding: gzip 
Content-Length: 0 
Keep-Alive: timeout=2, max=100 
Connection: Keep-Alive 
Content-Type: text/plain

The CORS mechanism supports cross-source secure requests, which are requests with source (domain, protocol, and port) different from their own source. With this, the request goes through the authentication made by the server and returns the result, to request a cross request from there.

In a request with CORS , the browser makes a request, where specific headers are passed, for example a Access-Control-Request-Method header, which will request methods that are allowed and the server will respond with Access-Control-Allow-Methods , or the browser will ask for a confirmation, the server responds with a header, informing what is allowed and with the return, the browser checks the returned data, if compatible, the browser will release the cross request between different domains. >

Compatibility

All browsers have basic support for this type of request, both mobile and desktop browsers:

MoreReading

31.10.2018 / 16:17