Search code examples
requestcorshttp-posthttp-method

Browser still send HTTP POST request after preflight request does not allow POST method


I'm confused about that my API server (NodeJS Express) only allow GET method

res.setHeader('Access-Control-Allow-Methods', 'GET');

then I make a CORS POST request with header

headers: {
  'Content-Type': 'application/json',
  'X-Test-Header': 'TESTING'
}

(the purpose is force browser to call OPTIONS request before a POST request). Then I inspect Network Tab in Chrome Debug, it does send 2 request (first with OPTIONS then POST request). The response header of OPTIONS request is:

Access-Control-Allow-Methods: GET

the question is why it still calls POST request when POST verb is not included in Allow-Methods headers?

Anyone know this please explain to me. Thanks in advance.

P/S: With DELETE or PUT method, it will throw an error

has been blocked by CORS policy: Method PUT is not allowed
by Access-Control-Allow-Methods in preflight response.

I think with POST method it must throw the same error to indicate the method is not allowed

P/S: I'm still facing about this issue, Does anyone know it and explain to me, thanks in advance


Solution

  • I have encountered the same problem recently. I found this in fetch spec, which I think could be used as a reference for the real http spec since fetch API have to comply to it. According to the step 7, it's said that if CORS check returns success, it will go through the step 7.5, which deduces if the request's method is valid. We can notice that if the request's method is not in the Access-Control-Allow-Methods and it's not a CORS-safelisted method(GET, POST, HEAD), it will throw an error.

    From the above inference, we can know that it's because your preflight passed the CORS check, even though the request's method didn't match the Access-Control-Allow-Methods, since it was a CORS-safelisted method, it would not throw an error.

    Considering that, if you want to forbid the POST method, you should not let it pass the CORS check. For instance, don't set the Access-Control-Allow-Origin in the response. It dosen't really matter whatever you set Access-Control-Allow-Methods, since it's a CORS-safelisted method.