The same-origin policy restricts the kinds of requests that a Web page can send to resources from another origin.
In the no-cors
mode, the browser is limited to sending “simple” requests — those with safelisted methods and safelisted headers only.
To send a cross-origin request with headers like Authorization
and X-My-Custom-Header
, you have to drop the no-cors
mode and support preflight requests (OPTIONS
).
The distinction between “simple” and “non-simple” requests is for historical reasons. Web pages could always perform some cross-origin requests through various means (such as creating and submitting a form), so when Web browsers introduced a principled means of sending cross-origin requests (cross-origin resource sharing, or CORS), it was decided that such “simple” requests could be exempt from the preflight OPTIONS
check.