Cors: Why My Browser Doesn't Send Options Preflight Request?

From what I've read about CORS, I understand it should work as follows: Script on a client side tries to fetch a resource from a server with different origin. Browser intercepts

Solution 1:

As pointed out by commentators, with GET browser doesn't always send preflight OPTIONS request. If preflight is indeed needed, one way to make browser to send it is to set custom header (e.g. "X-PINGOVER: pingpong" or whatever). Note, that server should also allow this request header by adding it to "Access-Control-Allow-Headers" response header.

---

My underlying goal was to pass cookies with domain a.com to servers of a.com, but from a page of another site(s) b.com (common use case for this is tracking your users on 3rd party websites). It turns out to send cookies alongside the request a bit more work is involved.

On the client side (i.e. in JavaScript) one needs to enable cross domain request and allow passing credentials. E.g. the following request with jQuery worked for me:

$.ajax({
  type: "GET",
  url: "http://example.com",
  xhrFields: {
    withCredentials: true// allow passing cookies
  },
  crossDomain: true,                // force corss-domain request                success: function (data) { ... },
  error: function (request, error) { ... }
});

On the server side one needs to set 2 response headers:

• Access-Control-Allow-Credentials: true
• Access-Control-Allow-Origin: <requester origin>

where <requester origin> is protocol + host + port of a website that performed a call. Note, that generic * may not work in many browsers, so it makes sense for server to parse Referer header of request and respond with specific allowed origin.