Cross Origin Request being made without CORS

Question

Somehow, we are able to make a cross origin XHR request on Chrome (latest stable) & Firefox without using CORS or anything of the sort. I am puzzled by this, hence this question.

Make an XHR Post Request to http://partychat-hooks.appspot.com/post/p_mwe2ztni with the data:

{body:"Some text"}

If you are on a Jquery enabled site, just type $.post("http://partychat-hooks.appspot.com/post/p_mwe2ztni",{body:"Hello World"}) on the console. SO has Jquery, so you can just press F12 now and paste this in your console.

The request goes from "Pending" to "cancelled" over in the network tab. The browser even gives us a warning about However, wireshark tells me that the request is actually getting made. (and is confirmed by a ping on the chatroom (join us at abhshkdz@im.partych.at)).

The following screenshots shows 3 things:

1. The request was made by JS
2. The browser aborted the request as it was a Cross-Origin Request w/o CORS. (Presumably an OPTIONS request should have been sent)
3. The popup on top-right shows that the request succeeded somehow.

Here is a screenshot of WireShark showing the Request response (served over Google AppEngine)

You can get the pcap file from here.

Also, notable is the fact that I don't see any OPTIONS request being made by the browser at all (which it should to check for CORS support).

Someone please help us solve this mystery.

Answer 1

Provided the request is a 'simple method' (GET/HEAD/POST) and the headers are all 'simple headers', then the browser can follow the 'simple' steps for the request, which don't include an OPTIONS pre-flight.