Same origin policy violation but data gets send

Question

I'm on writing a little tracker in javascript. This tracker just gets the currently visited website with all needed informations. It also tracks ajax events. The counterpart is a java program which is hosted on the same machine as the webserver, but listening to a different port. My javascript program should not be able to send the data, because of the same origin policy (different port). The console in chrome tells me that:

XMLHttpRequest cannot load http://127.0.0.1:8082/posts. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8081' is therefore not allowed access.

What i don't get is, the data gets sent to the server! I double checked this on different machines (with different ip's). I just want to understand why. I did not write the send method on my own, thats why i don't really get it.

//sending data to server-tracker
function sendData(data)
{
    console.log("Sending data: ");
    console.log(data);
    var xhr = window.XMLHttpRequest
        ? new window.XMLHttpRequest()
        : window.ActiveXObject
        ? new ActiveXObject('Microsoft.XMLHTTP')
        : null;
    xhr.open('POST', "http://127.0.0.1:8082/posts", true);
    xhr.send(data);
}

Thanks for helping.

Answer 1

The Same Origin Policy primarily stops JavaScript from reading data from other origins.

It has some features which prevent sending data to other origins under some circumstances. These can be summed up as "when the request couldn't have been constructed using an HTML form". These trigger a preflight request asking for permission to send the actual request.

Cross Origin Request Forgery which is a different problem and one best solved by using a Synchronizer Token (which is stored in HTML documents on the site (so it can only be sent by requests initiated from that site) and in the user's session (which is used to compare submitted ones).