Cors
- https://github.com/expressjs/cors/blob/master/lib/index.js (opens in a new tab)
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS (opens in a new tab)
Simple ("Safe") request
methods: HEAD, GET, POST
content-type: text/plain, application/x-www-form-urlencoded, multipart/form-data
headers: Access-Control-Allow-Origin: *
Preflight ("Unsafe") request
method: OPTION headers:
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-PINGOTHER, Content-Type
Access-Control-Allow-Origin: https://foo.example
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: X-PINGOTHER, Content-Typecredentials
- (e.g. cookies) must not be send by browser
Access-Control-Allow-Origin: *will be blocked by browserAccess-Control-Allow-Credentials: truemust be included