1

I just read this:

same-origin policy allows inter-origin HTTP requests with GET and POST methods but denies inter-origin PUT and DELETE requests

What is so special about PUT/DELETE? Why are they blocked? You can do an update/delete inside a POST method anyway.

With CORS, why is a POST request preflighted if it uses xml/json rather than application/x-www-form-urlencoded?

Please explain why some verbs are treated differently to others.

Kevin Christopher Henry
  • 37,093
  • 5
  • 98
  • 87
David Klempfner
  • 6,679
  • 15
  • 47
  • 102

1 Answers1

3

The fundamental distinction is between the kind of request triggered by a user navigating a web page and the kind triggered by a script. This distinction is rooted in web history, based on what early browsers considered safe and unsafe. All browsers since have tried to maintain backwards compatibility so as to not violate the expectations of servers relying on those early de facto standards.

What kind of requests are generated by users navigating the web? Basically, GET requests and POST requests triggered by a form submission. Browsers have always allowed such cross-origin requests, and so they assume that servers are designed to handle them. But that doesn't include, for example, POSTS that have custom headers that could only be added by a script. (For a precise description of what makes a request safe or not, see the Fetch specification.)

See my answer here for more detail on how CORS uses preflight requests to maintain backwards compatibility with the Same Origin Policy.

Kevin Christopher Henry
  • 37,093
  • 5
  • 98
  • 87
  • You know how browsers these days let you make a cross origin POST/GET, but if the server doesn't return Access-Control-Allow-Origin: * or Access-Control-Allow-Origin: , then you can't view the response? I assume old browsers, before CORS was created, would allow you to view the response? Do you know what version of Chrome would be the last version before CORS came about? I'd like to experiment and see if you can view the response or not for a cross origin GET/POST. – David Klempfner Nov 07 '20 at 03:51
  • 2
    @DavidKlempfner: No, pre-CORS browsers would not let a script view the response to a cross-origin request. That is essentially the definition of the same origin policy. CORS is strictly about *loosening* restrictions, making possible what could not be done before. – Kevin Christopher Henry Nov 07 '20 at 06:19
  • I was reading https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS and it says "This means that a web application using those APIs can only request resources from the same origin the application was loaded from". Isn't this inaccurate? The request can still be made/executed, it's just that you can't view the response? – David Klempfner Nov 07 '20 at 11:07
  • @DavidKlempfner The full text of that passage from the MDN articles reads: *“For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts. For example, XMLHttpRequest and the Fetch API follow the same-origin policy. This means that a web application using those APIs can only request resources from the same origin the application was loaded from unless the response from other origins includes the right CORS headers.”* — which is accurate. – sideshowbarker Nov 07 '20 at 12:36
  • @DavidKlempfner: It depends on the type of request. For "simple" `GET` and `POST` the request will be sent, but the script won't be able to read the response without the right CORS response headers. For other kinds of request, the request itself won't be sent unless the server first opts-in via the preflight mechanism. The [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy) page linked to describes it in more detail. – Kevin Christopher Henry Nov 07 '20 at 12:56
  • @sideshowbarker I still think it's inaccurate. You can make a cross origin request, and it will execute, it's just that you won't be able to view the response. I've tested this myself locally using two web apps, each with a different port. – David Klempfner Nov 08 '20 at 02:45
  • @KevinChristopherHenry please see this question: https://stackoverflow.com/questions/64769030/why-does-the-same-origin-policy-not-block-post-requests – David Klempfner Nov 10 '20 at 12:34