What is the motivation behind the introduction of preflight CORS requests?

by

I spent some time being confused as to the purpose of the preflight request but I think I’ve got it now.

The key insight is that preflight requests are not a security thing. Rather, they’re a not-changing-the-rules thing.

Preflight requests have nothing to do with security, and they have no bearing on applications that are being developed now, with an awareness of CORS. Rather, the preflight mechanism benefits servers that were developed without an awareness of CORS, and it functions as a sanity check between the client and the server that they are both CORS-aware. The developers of CORS felt that there were enough servers out there that were relying on the assumption that they would never receive, e.g. a cross-domain DELETE request that they invented the preflight mechanism to allow both sides to opt-in. They felt that the alternative, which would have been to simply enable the cross-domain calls, would have broken too many existing applications.

There are three scenarios here:

  1. Old servers, no longer under development, and developed before CORS. These servers may make assumptions that they’ll never receive e.g. a cross-domain DELETE request. This scenario is the primary beneficiary of the preflight mechanism. Yes these services could already be abused by a malicious or non-conforming user agent (and CORS does nothing to change this), but in a world with CORS the preflight mechanism provides an extra ‘sanity check’ so that clients and servers don’t break because the underlying rules of the web have changed.

  2. Servers that are still under development, but which contain a lot of old code and for which it’s not feasible/desirable to audit all the old code to make sure it works properly in a cross-domain world. This scenario allows servers to progressively opt-in to CORS, e.g. by saying “Now I’ll allow this particular header”, “Now I’ll allow this particular HTTP verb”, “Now I’ll allow cookies/auth information to be sent”, etc. This scenario benefits from the preflight mechanism.

  3. New servers that are written with an awareness of CORS. According to standard security practices, the server has to protect its resources in the face of any incoming request — servers can’t trust clients to not do malicious things. This scenario doesn’t benefit from the preflight mechanism: the preflight mechanism brings no additional security to a server that has properly protected its resources.

More Related Contents:

  1. Set-Cookie on Browser with Ajax Request via CORS
  2. Why is an OPTIONS request sent and can I disable it?
  3. Response to preflight request doesn’t pass access control check
  4. Returning redirect as response to XHR request
  5. What does it mean when an HTTP request returns status code 0?
  6. Same origin Policy and CORS (Cross-origin resource sharing)
  7. What security risks exist when setting Access-Control-Allow-Origin to accept all domains?
  8. Can you call ko.applyBindings to bind a partial view?
  9. Does an HTTP Status code of 0 have any meaning?
  10. WebSockets protocol vs HTTP
  11. CORS issue while making an Ajax request for oauth2 access token
  12. CORS request with Preflight and redirect: disallowed. Workarounds?
  13. API Gateway CORS: no ‘Access-Control-Allow-Origin’ header
  14. How to CORS-enable Apache web server (including preflight and custom headers)?
  15. Cross-Domain AJAX doesn’t send X-Requested-With header
  16. Access denied in IE 10 and 11 when ajax target is localhost
  17. $http.get is not allowed by Access-Control-Allow-Origin but $.ajax is
  18. What’s to stop malicious code from spoofing the “Origin” header to exploit CORS?
  19. What are proper status codes for CORS preflight requests?
  20. HTML5 Video is not working with AngularJS ng-src tag
  21. Returning redirect as response to Ajax (fetch, XHR, etc.) request
  22. Enable CORS in Golang
  23. HTTP Cookies and Ajax requests over HTTPS
  24. Using the HTTP Range Header with a range specifier other than bytes?
  25. Web sockets make ajax/CORS obsolete?
  26. Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at
  27. Cross-Origin Request Blocked
  28. How to block external http requests? (securing AJAX calls)
  29. Angular 2 HTTP Progress bar
  30. GET vs POST in AJAX?

Leave a Comment