Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to skip the OPTIONS preflight request?

I had developed a PhoneGap app which is now being transformed to a mobile website. Everything works smoothly besides one small glitch. I use a certain third party API via a POST request, which works fine in the app, but fails in the mobile website version.

After a closer look it seems like AngularJS (I guess the browser actually) is first sending an OPTIONS request. I learned a lot today about CORS, but I can't seem to figure out how to disable it altogether. I do not have access to that API (so changes at that side are impossible), but they have added the domain I am working on to their Access-Control-Allow-Origin header.

This is the code I am talking about:

        var request = {                 language: 'fr',                 barcodes: [                     {                         barcode: 'somebarcode',                         description: 'Description goes here'                     }                 ]             };         }         var config = {             headers: {                  'Cache-Control': 'no-cache',                 'Content-Type': 'application/json'             }         };         $http.post('http://somedomain.be/trackinginfo', request, config).success(function(data, status) {             callback(undefined, data);         }).error(function(data, status) {             var err = new Error('Error message');             err.status = status;             callback(err);         }); 

How can I prevent the browser (or AngularJS) from sending that OPTIONS request and just skip to the actual POST request? I am using AngularJS 1.2.0.

Thanks in advance.

like image 337
Bram Vandewalle Avatar asked Apr 09 '14 16:04

Bram Vandewalle


People also ask

How can we avoid preflight requests?

Another way to avoid Preflight requests is to use simple requests. Preflight requests are not mandatory for simple requests, and according to w3c CORS specification, we can label HTTP requests as simple requests if they meet the following conditions. Request method should be GET , POST , or HEAD .

Is preflight request necessary?

This opt-in is the preflight request. So GET/POST requests without any custom headers don't need a preflight, since these requests were already possible before CORS. But any request with custom headers, or PUT/DELETE requests, do need a preflight, since these are new to the CORS spec.

What is Preflight options request?

A CORS preflight request is a CORS request that checks to see if the CORS protocol is understood and a server is aware using specific methods and headers. It is an OPTIONS request, using three HTTP request headers: Access-Control-Request-Method , Access-Control-Request-Headers , and the Origin header.

What triggers a preflight request?

A preflight request is a small request that is sent by the browser before the actual request. It contains information like which HTTP method is used, as well as if any custom HTTP headers are present. The preflight gives the server a chance to examine what the actual request will look like before it's made.


1 Answers

The preflight is being triggered by your Content-Type of application/json. The simplest way to prevent this is to set the Content-Type to be text/plain in your case. application/x-www-form-urlencoded & multipart/form-data Content-Types are also acceptable, but you'll of course need to format your request payload appropriately.

If you are still seeing a preflight after making this change, then Angular may be adding an X-header to the request as well.

Or you might have headers (Authorization, Cache-Control...) that will trigger it, see:

  • https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS#Preflighted_requests
like image 144
Ray Nicholus Avatar answered Sep 26 '22 20:09

Ray Nicholus