Learning by sharing

Preflighted requests

Preflighted requests
Unlike simple requests (discussed above), “preflighted” requests first send an HTTP OPTIONS request header to the resource on the other domain, in order to determine whether the actual request is safe to send. Cross-site requests are preflighted like this since they may have implications to user data. In particular, a request is preflighted if:
  • It uses methods other than GET or POST. Also, if POST is used to send request data with a Content-Type other than application/x-www-form-urlencoded, multipart/form-data, or text/plain, e.g. if the POST request sends an XML payload to the server using application/xml or text/xml, then the request is preflighted.
  • It sets custom headers in the request (e.g. the request uses a header such as X-PINGOTHER)
XMLHttpRequest 里面上传的话 如果在 xhr.upload 里面添加事件监听 就会触发上面的 option 请求。把事件监听去掉就没有。。。
Turns out this is not a bug. The spec for XMLHttpRequest does mention that upload progress event handlers should cause the “force preflight” flag to be set. I was a bit confused when this was not specifically mentioned in the CORS spec, even though that spec does reference the existence of a “force preflight” flag.