The original standard does preclude redirect after a successful CORS preflight. Quoting § 7.1.5.3: This is the actual request. Apply the make a request steps and observe the request rules below while making the request. If the response has an HTTP status code of 301, 302, 303, 307, or 308 Apply the cache and network … Read more
See What is the motivation behind the introduction of preflight CORS requests?. The reason CORS doesn’t require browsers to do a preflight for application/x-www-form-urlencoded, multipart/form-data, or text/plain content types is that if it did, that’d make CORS more restrictive than what browsers have already always allowed (and it’s not the intent of CORS to put … Read more
CORS OPTIONS preflight requests not showing in dev tools
FWIW, this is my CORS Middleware that works for my needs. func CORSMiddleware() gin.HandlerFunc { return func(c *gin.Context) { c.Writer.Header().Set(“Access-Control-Allow-Origin”, “*”) c.Writer.Header().Set(“Access-Control-Allow-Credentials”, “true”) c.Writer.Header().Set(“Access-Control-Allow-Headers”, “Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, accept, origin, Cache-Control, X-Requested-With”) c.Writer.Header().Set(“Access-Control-Allow-Methods”, “POST, OPTIONS, GET, PUT”) if c.Request.Method == “OPTIONS” { c.AbortWithStatus(204) return } c.Next() } }
One simple way to separate out your logic and re-use the CORS handler you define would be to wrap your REST handler. For example, if you’re using net/http and the Handle method you could always do something like: func corsHandler(h http.Handler) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { if (r.Method == “OPTIONS”) { //handle … Read more
The gist of it is, just use 200. A little more generally: You should just send back the same status code for the CORS preflight OPTIONS request that you’d send back for any other OPTIONS request. The relevant specs don’t require or recommend anything more than that. What the specs say: The Fetch spec at … Read more
Original Answer I finally found the answer, in this RFC about CORS-RFC1918 from a Chrome-team member. To sum it up, Chrome has implemented CORS-RFC1918, which prevents public network resources from requesting private-network resources – unless the public-network resource is secure (HTTPS) and the private-network resource provides appropriate (yet-undefined) CORS headers. There’s also a Chrome flag … Read more
Short answer: Ensure the request URL in your code isn’t missing a trailing slash. A missing-trailing-slash problem is the most-common cause of the error cited in the question. But that’s not the only cause — just the most common. Read on for more details. When you see this error, it means your code is triggering … Read more
The preflight is being triggered by your Content-Type of application/json. The simplest way to prevent this is to set the Content-Type to be text/plain in your case. application/x-www-form-urlencoded & multipart/form-data Content-Types are also acceptable, but you’ll of course need to format your request payload appropriately. If you are still seeing a preflight after making this … Read more
You’ll need to go to: chrome://flags/#out-of-blink-cors, disable the flag, and restart Chrome. This is an expected behavior change according to: https://bugs.chromium.org/p/chromium/issues/detail?id=995740#c1 I originally came across this via: https://support.google.com/chrome/thread/11089651?hl=en