For a cross-origin OPTIONS request, is the pre-flight OPTIONS request followed by a "regular" OPTIONS request?

Question

I'm trying to implement proper CORS logic in my service. From looking at all the available documentation, it's not clear to me whether, in the case of a cross-origin OPTIONS request, the client would send (1) a pre-flight OPTIONS request, and if allowed by the pre-flight response, (2) a "regular" (non-pre-flight) OPTIONS request.

In other words, in my server, when I get a pre-flight OPTIONS request, should I execute both the CORS logic and the normal OPTIONS request processing logic at the same time, populating the normal OPTIONS response headers as well as the the Access-Control-* response headers?

Or should I just do the CORS logic for the pre-flight request, and expect a follow-up OPTIONS request if the OPTIONS method is allowed from the origin?

[extra credit for pointing to an authoritative reference]

Answer 1

In the case of an OPTIONS request, you will receive a preflight OPTIONS request followed by the actual OPTIONS request. The preflight OPTIONS request can be identified because it will have: 1) an OPTIONS HTTP method, 2) An Origin header, and 3) An Access-Control-Request-Method header. The actual OPTIONS request will only have: 1) an OPTIONS HTTP method, and 2) An Origin header. The actual OPTIONS request will not have an Access-Control-Request-Method header.

Here is an example that demonstrates this: http://client.cors-api.appspot.com/client#?client_method=OPTIONS&client_credentials=false&server_enable=true&server_status=200&server_credentials=false&server_methods=OPTIONS&server_tabs=local