Setting CORS call to GET not OPTIONS

Question

I am creating a CORS call as follows:

createCORSRequest: function(method, url) {
    var xhr = new XMLHttpRequest();
    xhr.withCredentials = true;

    if ("withCredentials" in xhr) {
        // Check if the XMLHttpRequest object has a "withCredentials" property.
        // "withCredentials" only exists on XMLHTTPRequest2 objects.
        console.log("Sending request with credneitials");
        xhr.open(method, url, true);
    } else if (typeof XDomainRequest != "undefined") {
        // Otherwise, check if XDomainRequest.
        // XDomainRequest only exists in IE, and is IE's way of making CORS requests.
        xhr = new XDomainRequest();
        xhr.open(method, url);
    } else {
        xhr = null;
    }

    xhr.setRequestHeader('Authorization', 'Bearer bf6dcfd4e975a007dc8184be6bcf580c'); //Authorization details needed

    return xhr;
}

The problem is that this is always sent as an OPTIONS call, which the server does not handle at all. If I remove

xhr.setRequestHeader('Authorization', 'Bearer bf6dcfd4e975a007dc8184be6bcf580c');

then it becomes a GET request but the server will not process it without the access token.

Is there a way to send the Authorization Header in the GET request ?

Or will I have to modify the server to handle OPTIONS requests ? I.e. preflights and so forth.

Thanks for the help.

Answer 1

If you set an Authorization header then you are making a complex request and you have to handle the OPTIONS preflight before the browser will make the GET request.

You can't set the header without handling the OPTIONS request.