Simple requests are requests that meet the following criteria :
HTTP Method matches (case-sensitive) one of:
HTTP Headers matches (case-insensitive):
But looking at this test page which is not causing preflight request :
General :
Remote Address:69.163.243.142:80
Request URL:http://aruner.net/resources/access-control-with-get/
Request Method:GET
Status Code:200 OK
Request Headers
Accept:*/*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8,he;q=0.6
Cache-Control:no-cache
Connection:keep-alive
DNT:1
Host:aruner.net
Origin:http://arunranga.com
Pragma:no-cache
Referer:http://arunranga.com/examples/access-control/simpleXSInvocation.html
User-Agent:Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Response Headers
Access-Control-Allow-Origin:http://arunranga.com
Connection:Keep-Alive
Content-Type:application/xml
Date:Sat, 26 Sep 2015 09:00:26 GMT
Keep-Alive:timeout=2, max=100
Server:Apache
Transfer-Encoding:chunked
Being pedantic and looking at the request section , There are many headers which are not in the preceding criteria section :
Cache-Control is not on the listConnection is not on the listDNT is not is not on the listUser-Agent is not on the listAccept-Encoding is not on the listI know that those are more of "general" headers. But so does accept-language
Question
What am I missing here? According to the criteria section, a request with those headers should cause a preflight request.
Looking at your code:
invocation.open('GET', url, true);
invocation.onreadystatechange = handler;
invocation.send();
You are not actually setting any custom headers. e.g.
invocation.setRequestHeader("X-Requested-With", "XMLHttpRequest");
Therefore there will be no preflight. Default browser headers do not count. The preflight mechanism is only there to ensure any custom headers, such as the one in my example above, are allowed to be passed cross domain by the receiving site.