CORS preflight not happening consistently

Question

I'm seeing something weird with CORS, and I'm trying to confirm whether it's a bug or what...

Basically, I have a website, www.example.com which makes a number of POST requests to log.example.com to do logging. Since log.example.com is a different domain, CORS is in effect.

In most cases, I see a preflight OPTIONS request, followed by the POST request. However, on some occasions, I just see the POST, without a preceding OPTIONS - basically, something like this:

OPTIONS
POST
...intervening requests to www...
OPTIONS
POST
POST
...intervening requests to www...
POST
...intervening requests to www...
OPTIONS
POST

None of the OPTIONS requests return the Access-Control-Max-Age header (which they probably should, but that's a different matter), so the OPTIONS response shouldn't be cached by the browser. All the OPTIONS requests return a 200 and all the POSTS return a 202. Sometimes there are intervening requests, sometimes not. All the OPTIONS requests pass exactly the same headers and the responses return exactly the same combination of Access-Control-* response headers. The same goes for the POST requests.

I don't have (easy) access to the JS which is making the POST requests (I mean, I could probably find it, but it's obfuscated), but I don't think it should make any difference - I'm pretty sure they're just basic ole' XHR requests.

From the fetch spec, if Access-Control-Max-Age is not passed, even if an entry is added to the preflight cache, it should be expelled immediately. Or could it be that because the second POST happens within one second of the first POST (which follows the OPTIONS request), there is an unexpired entry in the preflight cache?

Answer 1

Not all POST requests are preflighted (POST is a CORS-safelisted method). It depends on the headers that are included in the request. So if none of the headers are outside the CORS-safelisted request-header range, you won't get a preflight.