Certain "cross-domain" requests, notably AJAX requests, are forbidden by default by the same-origin security policy of web browsers.
Cross-origin requests come in two flavors: 1. simple requests 2. "not-so-simple requests" (a term just made up)
Simple requests are requests that meet the following criteria:
HTTP Method matches (case-sensitive) one of: - HEAD - GET - POST
HTTP Headers matches (case-insensitive):
- Content-Type, but only if the value is one of
Handling a not-so-simple request¶
A not-so-simple request looks like a single request to the client, but it actually consists of two requests under the hood. The browser first issues a preflight request, which is like asking the server for permission to make the actual request. Once permissions have been granted, the browser makes the actual request. The browser handles the details of these two requests transparently. The preflight response can also be cached so that it is not issued on every request.