In CORS, a preflight request is sent with the OPTIONS
method so that the server can respond if it is acceptable to send the request. In this example, we will request permission for these parameters:
OPTIONS /resources/post-here/ HTTP/1.1
Host: bar.example
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Connection: keep-alive
Origin: https://foo.example
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-PINGOTHER, Content-Type
The server now can respond if it will accept a request under these circumstances. In this example, the server response says that:
Access-Control-Allow-Origin
-
The https://foo.example
origin is permitted to request the bar.example/resources/post-here/
URL via the following:
Access-Control-Allow-Methods
-
POST
, GET
, and OPTIONS
are permitted methods for the URL. (This header is similar to the Allow
response header, but used only for CORS.)
-
Any script inspecting the response is permitted to read the values of the X-PINGOTHER
and Content-Type
headers.
Access-Control-Max-Age
-
The above permissions may be cached for 86,400 seconds (1 day).
HTTP/1.1 204 No Content
Date: Mon, 01 Dec 2008 01:15:39 GMT
Server: Apache/2.0.61 (Unix)
Access-Control-Allow-Origin: https://foo.example
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
Access-Control-Max-Age: 86400
Vary: Accept-Encoding, Origin
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive