Reputation: 10585
Does setting the Authorization header for a POST cross-domain request always require a preflight?
I was surprised recently to learn that when I set the Authorization header, my POST requests are getting preflighted. I had always assumed that the Authorization header would be exempted because of its ubiquity.
Is it true that the Authorization header is not special with respect to CORS, and therefore whenever you set the Authorization header, the browser must preflight?
Upvotes: 2
Views: 66
Answers (1)
Reputation: 88026
Yes, it’s true that whenever you add the Authorization header to a request, it triggers a preflight in browsers. That’s because Authorization isn’t defined as a CORS safelisted request-header.
The list of CORS safelisted request-headers is quite short; it’s just Accept, Accept-Language, Content-Language, Content-Type, DPR, Downlink, Save-Data, Viewport-Width, Width.
Any header added to a request that’s not in that list will trigger browsers to do a preflight.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests.
Upvotes: 2
Related Questions
- Are preflight requests made for ajax call to same origin domain?
- Do CORS Preflight requests include the request's headers?
- Why does a cross-origin simple POST request not trigger a preflight check?
- Should I send any Access-Control-Allow-Origin header to non-allowed origins in the actual request following the OPTIONS request?
- handling CORS preflight request in Apache
- Send credentials in preflighted request (CORS)
- CORS post with preflight request
- In CORS, Are POST request with credentials pre-flighted ?
- Why is request preflighted if I add a standard http header when using cors?
- Is the Access-Control-Allow-Origin CORS header required when doing a preflight request?