Why is an OPTIONS request sent and can I disable it?

by

edit 2018-09-13: added some precisions about this pre-flight request and how to avoid it at the end of this reponse.

OPTIONS requests are what we call pre-flight requests in Cross-origin resource sharing (CORS).

They are necessary when you’re making requests across different origins in specific situations.

This pre-flight request is made by some browsers as a safety measure to ensure that the request being done is trusted by the server.
Meaning the server understands that the method, origin and headers being sent on the request are safe to act upon.

Your server should not ignore but handle these requests whenever you’re attempting to do cross origin requests.

A good resource can be found here http://enable-cors.org/

A way to handle these to get comfortable is to ensure that for any path with OPTIONS method the server sends a response with this header

Access-Control-Allow-Origin: *

This will tell the browser that the server is willing to answer requests from any origin.

For more information on how to add CORS support to your server see the following flowchart

http://www.html5rocks.com/static/images/cors_server_flowchart.png

CORS Flowchart

edit 2018-09-13

CORS OPTIONS request is triggered only in somes cases, as explained in MDN docs:

Some requests don’t trigger a CORS preflight. Those are called “simple requests” in this article, though the Fetch spec (which defines CORS) doesn’t use that term. A request that doesn’t trigger a CORS preflight—a so-called “simple request”—is one that meets all the following conditions:

The only allowed methods are:

  • GET
  • HEAD
  • POST

Apart from the headers set automatically by the user agent (for example, Connection, User-Agent, or any of the other headers with names defined in the Fetch spec as a “forbidden header name”), the only headers which are allowed to be manually set are those which the Fetch spec defines as being a “CORS-safelisted request-header”, which are:

  • Accept
  • Accept-Language
  • Content-Language
  • Content-Type (but note the additional requirements below)
  • DPR
  • Downlink
  • Save-Data
  • Viewport-Width
  • Width

The only allowed values for the Content-Type header are:

  • application/x-www-form-urlencoded
  • multipart/form-data
  • text/plain

No event listeners are registered on any XMLHttpRequestUpload object used in the request; these are accessed using the XMLHttpRequest.upload property.

No ReadableStream object is used in the request.

More Related Contents:

  1. CORS request with Preflight and redirect: disallowed. Workarounds?
  2. What are proper status codes for CORS preflight requests?
  3. What is the motivation behind the introduction of preflight CORS requests?
  4. CORS with POSTMAN
  5. When do browsers send the Origin header? When do browsers set the origin to null?
  6. CORS Access-Control-Allow-Headers wildcard being ignored?
  7. How to CORS-enable Apache web server (including preflight and custom headers)?
  8. Setting HTTP headers
  9. Angular2 OPTIONS method sent when asking for http.GET [duplicate]
  10. Cross Origin Resource Sharing with Credentials
  11. How to make XMLHttpRequest cross-domain withCredentials, HTTP Authorization (CORS)?
  12. Can I use an at symbol (@) inside URLs?
  13. HTTP redirect: 301 (permanent) vs. 302 (temporary)
  14. Is there a practical HTTP Header length limit?
  15. What is the difference between PUT, POST and PATCH?
  16. What’s the difference between a 302 and a 307 redirect?
  17. Should I URL-encode POST data?
  18. What, at the bare minimum, is required for an HTTP request?
  19. How to spoof http referer
  20. Why am I getting “(304) Not Modified” error on some links when using HttpWebRequest?
  21. Difference between Content-Range and Range headers?
  22. HTTP POST request in Inno Setup Script
  23. URL hash is persisting between redirects
  24. How WebSocket server handles multiple incoming connection requests?
  25. nginx close upstream connection after request
  26. Official references for default values of concurrent HTTP/1.1 connections per server? [closed]
  27. Does the HTTP Protocol support multiple content types in response headers?
  28. Sending browser cookies during a 302 redirect
  29. Is the Content-Length header required for a HTTP/1.0 response?
  30. What is the difference between server side cookie and client side cookie?

Leave a Comment