Welcome to our blog section

Here we post our thoughts


What is Preflight Requests or why does the browser send additional requests?

Cross-domain queries – is very interesting topic to talk about, besides, it requires a lot of developer’s attention and knowledge of the specification.

Any cross-domain request is under security control. Its goal is to protect the server with old standards from hacking attack.  “Old” mean those servers that do not even suspect that pages can send queries with the methods “PUT”, “DELETE”, etc.
For a clear classification, the CORS specification divides all requests into two types.

Simple queries

“Simple” requests are all those that satisfy the conditions below:

  1. Simple method: GET, POST or HEAD
  2. Simple titles:
  • Accept
  • Accept-Language
  • Content-Language
  • Content-Type (possible meanings: application/x-www-form-urlencoded, multipart/form-data or text/plain)

In other words, all those queries that a page could generate without using “XMLHttpRequest” are considered simple ones. However, they also have their own security requirements.

If the request does not satisfy at least one of these items above, it is immediately transferred to the list of “incomplete” one and needs an additional pre-request.

Security of simple queries

In the case of a simple cross-domain request, the browser automatically adds another header to the query: “Origin” where it writes down the domain from which the request was made. The serve transmits the “Access-Control-Allow-Origin” parameter, which should contain the domain from which the request was sent.

If the server response does not have this parameter, the request is considered unsuccessful and the JavaScript code gets an error.

There is one more limitation that is imposed on “simple queries”, JavaScript can read only the following headers:

  • Cache-Control
  • Content-Language
  • Content-Type
  • Expires
  • Last-Modified
  • Pragma

The last one means that the access to specific headers used to authorize a user the server must open by passing their list in the parameter: “Access-Control-Expose-Headers”.

Incomplete queries

In a cross-domain query, you can specify not only GET / POST methods but also any others, for example: DELETE, UPDATE.

However, the services of the past years were not ready to the fact that web pages can send such requests. In some of these old services, requests that use incomplete methods are mistakenly treated as requests from applications. There are errors connected with it, including confidentiality, because in this case server can give a client a lot of privileges.

There are many variants of such problem, it is only one of them. To avoid such problems a protective mechanism of pre-inquiries was developed.

Pre-request already from its meaning gives us an idea that the browser will send extra request before sending a basic one. Let’s look at it to understand all details more clearly.

As a method, this query uses OPTIONS. If you get an error with the word “preflight” and you see a request with this method in devtools on the Network tab it means there was an error during the security procedures and the web service is not ready to accept requests from your domain.

This request does not have a body, but there are two header parameters: Access-Control-Request-Method and Access-Control-Request-Headers which contain the list of methods and parameters of the header to which access is requested.

Properly speaking, task of this request is to ask the server to be ready to accept from us certain methods and additional parameters. If the server is ready, it will give the code “200”.

Additionally, the server can cache its response for a specific time by passing the caching period in seconds in the Access-Control-Max-Age header parameter. If this parameter is specified -allowed pre-request will not be sent from the list during requests.


Prev news