Menu
I just read this:
same-origin policy allows inter-origin HTTP requests with GET and POST methods but denies inter-origin PUT and DELETE requests
What is so special about PUT/DELETE? Why are they blocked? You can do an update/delete inside a POST method anyway.
With CORS, why is a POST request preflighted if it uses xml/json rather than application/x-www-form-urlencoded?
Please explain why some verbs are treated differently to others.
EDIT: I ended up writing about this in an article.
273
The fundamental distinction is between the kind of request triggered by a user navigating a web page and the kind triggered by a script. This distinction is rooted in web history, based on what early browsers considered safe and unsafe. All browsers since have tried to maintain backwards compatibility so as to not violate the expectations of servers relying on those early de facto standards.
What kind of requests are generated by users navigating the web? Basically, GET requests and POST requests triggered by a form submission. Browsers have always allowed such cross-origin requests, and so they assume that servers are designed to handle them. But that doesn't include, for example, POSTS that have custom headers that could only be added by a script. (For a precise description of what makes a request safe or not, see the Fetch specification.)
See my answer here for more detail on how CORS uses preflight requests to maintain backwards compatibility with the Same Origin Policy.
155
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
