Search code examples
google-chromecors

Chrome NOT performing a preflight request


I've worked with some previous APIs in AngularJS, however there has always been a preflight using the OPTIONS method. Now I am building a new API from scratch and for some reason, AngularJS does NOT send a preflight request.

From what I have experienced AngularJS always sends a preflight when working with CORS, but not in my case. So question is really, what triggers a preflight in AngularJS if its not request to a domain which is not the same as the one AngularJS is being hosted on?

The example I have is quite easy and looks like this:

$scope.submit = function () {
  $http.post('https://slimapi.devz/')
    .then(function successCallback(response){
      alert(response.data);
    }, function errorCallback(response) {
      console.log(response);
    });
}

The requesting URL is https://slimfrontend.devz/.

Chrome gets triggered by the response headers in the XHR with the POST method, and will not display the result, however, the result is being fetched (as seen in timeline). But again, there is no sign of OPTIONS preflight.

Here is a picture of what my request looks like, and as you can see by the arrow. Chrome does detect the bad match of the origin.

timeline view


Solution

  • MDN has a good description:

    In particular, a request is preflighted if any of the following conditions is true:

    (I paraphrase the rest below)

    • If the request uses any of the following methods (such as PUT)
    • If particular HTTP headers are set by the JS
    • If the Content-Type is not a valid value for the enctype attribute of an HTML <form>

    IIRC, Angular defaults to sending application/json payloads (which trigger the final condition above).

    Your example is of a POST request where you aren't POSTing any data (which is odd) so there is no Content-Type.