CORS - Githubissues

phymo commented 3 years ago

phymo commented 3 years ago

Simple requests
- GET/HEAD/POST
- Apart from the headers automatically set by the user agent (for example, Connection, User-Agent, or the other headers defined in the Fetch spec as a forbidden header name), the only headers which are allowed to be manually set are those which the Fetch spec defines as a CORS-safelisted request-header, which are: Accept, Accept-Language, Content-Language, Content-Type
- The only allowed values for the Content-Type header are: application/x-www-form-urlencoded/multipart/form-data/text/plain
- If the request is made using an XMLHttpRequest object, no event listeners are registered on the object returned by the XMLHttpRequest.upload property used in the request; that is, given an XMLHttpRequest instance xhr, no code has called xhr.upload.addEventListener() to add an event listener to monitor the upload.
- No ReadableStream object is used in the request.
  
  request header send Origin, response header send Access-Control-Allow-Origin to control Access.
Preflighted requests
- for "preflighted" requests the browser first sends an HTTP request using the OPTIONS method to the resource on the other origin, in order to determine if the actual request is safe to send.

phymo commented 3 years ago

Requests with credentials

request with cookie, response with Access-Control-Allow-Credentials: true, if not, the response would be ignored.

phymo commented 3 years ago

Origin : Note that in any access control request, the Origin header is always sent.
Access-Control-Request-Method
Access-Control-Request-Headers: <field-name>[, <field-name>]*

phymooc / Interviews