Why is there no preflight in CORS for POST requests with standard content-type

by

See What is the motivation behind the introduction of preflight CORS requests?.

The reason CORS doesn’t require browsers to do a preflight for application/x-www-form-urlencoded, multipart/form-data, or text/plain content types is that if it did, that’d make CORS more restrictive than what browsers have already always allowed (and it’s not the intent of CORS to put new restrictions on what was already possible without CORS).

That is, with CORS, POST requests that you could do previously cross-origin are not preflighted—because browsers already allowed them before CORS existed, and servers knew about them. So CORS changes nothing about those “old” types of requests.

But prior to CORS, browsers wouldn’t allow you to do a cross-origin application/json POST at all, and so servers could assume they wouldn’t receive them. That’s why a CORS preflight is required for those types of “new” requests and not for the “old” ones—to give a heads-up to the server: this is a different “new” type of request that they must explicitly opt-in to supporting.

Related Contents:

  1. Are HTTPS headers encrypted?
  2. Disable cross domain web security in Firefox
  3. Disable firefox same origin policy
  4. How to skip the OPTIONS preflight request?
  5. How secure is a HTTP POST?
  6. Simple example for why Same Origin Policy is needed
  7. How should I ethically approach user password storage for later plaintext retrieval?
  8. How does the SQL injection from the “Bobby Tables” XKCD comic work?
  9. How are software license keys generated?
  10. What is the purpose of base 64 encoding and why it used in HTTP Basic Authentication?
  11. How can a JACC provider use the Principal-to-role mapping facilities of the server it’s deployed on?
  12. Google Authenticator available as a public service?
  13. Defeating a Poker Bot
  14. fetch() does not send headers?
  15. Non-random salt for password hashes
  16. Our security auditor is an idiot. How do I give him the information he wants?
  17. Possible to change email address in keypair?
  18. Why would I need a firewall if my server is well configured?
  19. The IT Manager is Leaving – What do I lockdown?
  20. Ansible security best practices
  21. how to secure an open PostgreSQL port
  22. Block employee access to public cloud
  23. Illegal activities prevention system (child pornography, animal cruelty, …)
  24. How do I block specific IPs and IP ranges in IIS7?
  25. Troubleshooting Windows Authentication problems (no challenge) in IIS 7.5?
  26. What is the Rowhammer DRAM bug and how should I treat it?
  27. How can I destroy data on a failed hard disk without voiding warranty?
  28. IT Audit checklist [closed]
  29. How to manage a web servers SSL private key protection (password vs. no password)?
  30. Are Elastic Beanstalk’s environment variables an appropriate place to store secret values?
  31. What do the OS X authorization mechanisms actually do?
  32. Security risks of PermitUserEnvironment in ssh
  33. is this a hack attempt?
  34. Should I report hacking attempts?
  35. How to generate new, 2048-bit Diffie-Hellman parameters with Java keytool?
  36. How to give non-root user in Docker container access to a volume mounted on the host
  37. Black hat knowledge for white hat programmers [closed]
  38. What is the difference between hash salting and noncing?
  39. How to pass the value of a variable to the standard input of a command?
  40. How can I hash passwords in postgresql?
  41. Is CSRF possible with PUT or DELETE methods?
  42. Are Google Cloud Functions protected from DDoS attacks?
  43. What reasons are there NOT to use OpenID?
  44. Mysqldump launched by cron and password security
  45. If you use HTTPS will your URL params will be safe from sniffing? [duplicate]
  46. Is checking the referrer enough to protect against a CSRF attack?
  47. Secure Google Cloud Functions http trigger with auth
  48. “Remember Me On This Computer” – How Should It Work?
  49. Docker Store Vs Docker Hub
  50. Is it possible to reverse a SHA-1 hash?

Leave a Comment