CORS use cases

Content Platform Tenant Management Help

File Size
4269 KB
Part Number

With a proper CORS rules configuration for a namespace, the HCP software can process CORS requests from web applications hosted in a different domain (origin).

HCP supports the following CORS use cases.

Simple request

A simple request is a request that does not trigger a CORS preflight request. A simple request meets the following conditions:

  • The method request is GET, HEAD, or POST.
  • The only headers added manually are Accept, Accept-Language, Content-Language, Content-Type, DPR, Downlink, Save-Data, Viewport-Width, Width.
  • The Content-Type header value is application/x-www-form-urlencoded, multipart/form-data, or text/plain.
  • No ReadableStream object or event listeners are registered on any XMLHttpRequestUpload object that the request uses.

Preflight request

A preflight request is a CORS request that checks to see if the CORS protocol is understood. It is an OPTIONS request that uses three HTTP request headers:

  • Access-Control-Request-Method
  • Access-Control-Request-Headers
  • Origin

A web browser automatically issues a preflight request when needed. The browser determines whether it needs to send a preflight request based on the web application request parameters used in the JavaScript code. If the HCP server approves the validity of the preflight request, the server responds with an approval response header. Then, the web browser sends the actual HTTP resource request.

If any of the following conditions is true, the browser uses a preflight request before the actual resource request:

  • The request uses the Authorization header.
  • The request uses one of these methods: PUT, DELETE, OPTIONS.
  • The request uses headers and a Content-Type other than the ones used for a simple request (described above).
  • The request contains event listeners registered on an HTMLHttpRequestUpload object or a ReadableStream object.