The same-origin policy restricts the kinds of requests that a Web page can send to resources from another origin.
In the no-cors mode, the browser is limited to sending “simple” requests — those with safelisted methods and safelisted headers only.
HistoricallyTo send a cross-origin request with headers like Authorization and X-My-Custom-Header, you have to drop the no-cors mode and support preflight requests (OPTIONS).
The distinction between “simple” and “non-simple” requests is for historical reasons. Web pages could always perform such “simple”some cross-origin requests through various means (such as creating and submitting a form), so allowing such requests to be sent via XHR or Fetch without preflight did not introduce new security concerns.
So, if you wish to sendwhen Web browsers introduced a principled means of sending cross-origin request with those headersrequests (cross-origin resource sharing, you have to support preflightor CORS), it was decided that such “simple” requests and dropcould be exempt from the preflight no-corsOPTIONS modecheck.