I am doing a CORS request (from angular resource) and it executes a preflight OPTIONS call. I do have custom header line, and I think that's why it gets invoked.
However I wander if I can set up things so that the custom header (we call it X-Auth-Token) is not generating OPTIONS request? Or it is set in stone behaviour for any custom headers?
OPTION request is triggering some transaction on server and I want get rid of that.
If your request has custom request headers, then yes, it is a set in stone behavior that you must have a preflight request. However, If you can get rid of the custom header, you can eliminate the preflight. One way to do this would be to move the X-Auth-Token header somewhere else, such as the query parameter. This question talks about ways to reduce preflight requests: How to apply CORS preflight cache to an entire domain
Also note that an OPTIONS request should be idempotent. If your OPTIONS request is also changing state on the server, I would look into fixing this and supporting preflight requests in the correct way. Any user on the web can trigger a preflight request to any server, so you should make sure your server is protected against that.
Can't comment yet, so I'll post it as an anwser :
You should take a look a this question. You can force OPTIONS off using the whitelist feature :
myApp.config(['$sceDelegateProvider', function($sceDelegateProvider) {
$sceDelegateProvider.resourceUrlWhitelist(['self', 'http://mhnystatic.s3.amazonaws.com/**', 'http://mhnystatic2.s3.amazonaws.com/**']);
}])
