Today I Learned

Avoiding CORS preflight for HTTP requests

Not every HTTP request sends CORS preflight.

For simple requests it is possible that preflight is not being sent at all.

Details are listed on MDN CORS documentation

In short request must be performed

  • with one of the methods below:

    • GET
    • HEAD
    • POST
  • with following additional headers (apart from standar user-agent ones)

    • Accept
    • Accept-Language
    • Content-Language
    • Content-Type

There are more limitations so I recommend reading through MDN docs