What is the reason behind sending an OPTION
request before the actual POST
, UPDATE
, PUT
or DELETE
request when a different domain is called? (So on CORS requests) I know it supposed to check whether the server can process the real request but why not send just the real request immediately?
Some of the reasons I have thought about:
- See if the method is supported
- Sending the real request will return the same status code, so
no need to send
OPTION
request first.
- Sending the real request will return the same status code, so
no need to send
- Check if the user allowed to send the request
- Make no sense as no auth headers are sent with the
OPTION
requests
- Make no sense as no auth headers are sent with the
- Prevent heavy load on the server
- Make no sense, as checking the auth rules is before the processing of the data.
- To check if requested headers and origin are allowed
- This is how it works now, but again why not just send the request, and we can read the error from the real request.
- Prevent sending the post data, if it wont be processed
- This is the only reason what is valid. Using options request will prevent sending the post data to the server unnecessarily. However I think this is not a problem in the 99% of the time, as only a small chunk of data is sent.
Can someone shed some light on the reasons why browser vendors implemented OPTION
requests when calling a different domain?