My cordova app uses backbone.js to communicate with my servers. Since the app obviously doesn't run under the same domain as my API, every non-trivial ajax request is being sent with an OPTIONS pre-flight. I understand why it does that. However, I am in complete control over my own server! I know exactly, what http methods and headers are supported. Therefore, isn't the OPTIONS request a waste of time? How can I disable it?
Asked
Active
Viewed 127 times
1 Answers
2
You say you know why it makes the requests, but to provide some context for those who do not MDN describes the conditions that you'll get a preflighted request.
No, you can't disable it.
As the author of the client side code, you know what requests you want to make.
As the author of the server side code, you know what requests you want to accept.
As the company that wrote the user's browser, Google (or Mozilla, Opera, etc) don't know that you are the author of both sites and that you trust yourself. They don't know that the requests Site A is asking the browser to make to Site B are harmless.
Before CORS an author just had to worry about defending against CSRF attacks that could be initiated by links and by forms.
Then along comes XHR and suddenly JavaScript on http://evil.example.com can trigger a DELETE request to http://victim.example.com complete with withCredentials enabled. It would be pretty bad if the server processed that, responded to the browser, then the browser told the JS engine that there were no Access-Control headers. The content would already be deleted.
So you need a preflight to get permission.
So it isn't a waste of time. You can't disable it. You just have to reply to it with permission.
Quentin
- 800,325
- 104
- 1,079
- 1,205