Skip to main content
The 2026 Annual Developer Survey is live— take the Survey today!
Bounty Awarded with 500 reputation awarded by Rasto
added 270 characters in body
Source Link
Vasiliy Faronov

The same-origin policy restricts the kinds of requests that a Web page can send to resources from another origin.

In the no-cors mode, the browser is limited to sending “simple” requests — those with safelisted methods and safelisted headers only.

HistoricallyTo send a cross-origin request with headers like Authorization and X-My-Custom-Header, you have to drop the no-cors mode and support preflight requests (OPTIONS).

The distinction between “simple” and “non-simple” requests is for historical reasons. Web pages could always perform such “simple”some cross-origin requests through various means (such as creating and submitting a form), so allowing such requests to be sent via XHR or Fetch without preflight did not introduce new security concerns.

So, if you wish to sendwhen Web browsers introduced a principled means of sending cross-origin request with those headersrequests (cross-origin resource sharing, you have to support preflightor CORS), it was decided that such “simple” requests and dropcould be exempt from the preflight no-corsOPTIONS modecheck.

The same-origin policy restricts the kinds of requests that a Web page can send to resources from another origin.

In the no-cors mode, the browser is limited to sending “simple” requests — those with safelisted methods and safelisted headers only.

Historically, Web pages could always perform such “simple” cross-origin requests through various means (such as creating and submitting a form), so allowing such requests to be sent via XHR or Fetch without preflight did not introduce new security concerns.

So, if you wish to send a cross-origin request with those headers, you have to support preflight requests and drop the no-cors mode.

The same-origin policy restricts the kinds of requests that a Web page can send to resources from another origin.

In the no-cors mode, the browser is limited to sending “simple” requests — those with safelisted methods and safelisted headers only.

To send a cross-origin request with headers like Authorization and X-My-Custom-Header, you have to drop the no-cors mode and support preflight requests (OPTIONS).

The distinction between “simple” and “non-simple” requests is for historical reasons. Web pages could always perform some cross-origin requests through various means (such as creating and submitting a form), so when Web browsers introduced a principled means of sending cross-origin requests (cross-origin resource sharing, or CORS), it was decided that such “simple” requests could be exempt from the preflight OPTIONS check.

added 147 characters in body
Source Link
Vasiliy Faronov

The same-origin policy restricts the kinds of requests that a Web page can send to resources from another origin.

In the no-cors mode, the same-origin policy restricts the browser is limited to sending “simple” requests — those with safelisted methods and safelisted headers only.

Historically, Web pages could always emulateperform such “simple” cross-origin requests through various means (such as creating and submitting a form), so allowing such requests to be sent via XHR or Fetch without preflight did not introduce new security concerns.

So, if you wish to send a cross-origin request with those headers, you have to support preflight requests and drop the no-cors mode.

In the no-cors mode, the same-origin policy restricts the browser to sending “simple” requests — those with safelisted methods and safelisted headers only.

Historically, Web pages could always emulate such “simple” cross-origin requests through various means (such as creating and submitting a form), so allowing such requests to be sent via XHR or Fetch without preflight did not introduce new security concerns.

So, if you wish to send a cross-origin request with those headers, you have to support preflight requests and drop the no-cors mode.

The same-origin policy restricts the kinds of requests that a Web page can send to resources from another origin.

In the no-cors mode, the browser is limited to sending “simple” requests — those with safelisted methods and safelisted headers only.

Historically, Web pages could always perform such “simple” cross-origin requests through various means (such as creating and submitting a form), so allowing such requests to be sent via XHR or Fetch without preflight did not introduce new security concerns.

So, if you wish to send a cross-origin request with those headers, you have to support preflight requests and drop the no-cors mode.

Source Link
Vasiliy Faronov

In the no-cors mode, the same-origin policy restricts the browser to sending “simple” requests — those with safelisted methods and safelisted headers only.

Historically, Web pages could always emulate such “simple” cross-origin requests through various means (such as creating and submitting a form), so allowing such requests to be sent via XHR or Fetch without preflight did not introduce new security concerns.

So, if you wish to send a cross-origin request with those headers, you have to support preflight requests and drop the no-cors mode.

lang-js