Should the CORS preflight OPTIONS request return 200 OK?

Question

I'm making cross-domain requests to my rails app from a site, using the rack-cors middleware (though I don't think this question is specific to rack-cors). When I inspect the console output with firebug I notice that there is only one request going out, the POST request. Is the OPTIONS request made secretly?

Similarly, when I inspect my server log I see

Started OPTIONS "/australia_post_api_connections" for 127.0.0.1 at 2013-01-08 16:06:18 -0800

but no corresponding

Completed 200 OK in 1441ms (Views: 85.2ms | ActiveRecord: 0.0ms)

Is this normal, or does it mean that the OPTIONS request is not running to completion? What sort of response should I expect from the CORS preflight OPTIONS request?

Answer 1

CORS OPTIONS responses should return 200s, and along with them, an assortment of Access-Control-* headers.

My guess is that you're not seeing it in your rails logs as "Completed 200" because it's happening in Rack middleware at a point before that logging occurs in the Rails framework.

You can check the request/response headers in Firebug/Chrome's Developer Tools network panel to verify that everything is proceeding correctly. I don't believe Firebug hides the OPTIONS request, but it's possible that the result of the OPTIONS request is being cached if Access-Control-Max-Age is being returned.