preflight

I'm new to working with Cross Origin Resource Sharing and trying to get my webapp to respond to CORS requests. My webapp is a Spring 3.2 app running on Tomcat 7.0.42. In my webapp's web.xml, I have enabled the Tomcat CORS filter: <!-- Enable CORS (cross origin resource sharing) --> <!-- http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter --> <filter> <filter-name>CorsFilter</filter-name> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> </filter> <filter-mapping> <filter-name>CorsFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> My client

I was reading the spec on CORS requests, and I found this about preflight requests: These are requests to a non same origin URL with an HTTP request method other than GET that first need to be authorized using either a preflight result cache entry or a preflight request. I had thought the purpose of preflight requests was to check whether a request was allowed before making it, in case it (illegitimately) changed server state . But HEAD and OPTIONS don't modify server state. I must misunderstand the reason for preflight check. What is the purpose (aka the reason, motivation, or rationale) for

What status code should a well-written HTTP server return when it gets a CORS preflight ( OPTIONS ) request? 200 , 204 or something else? Should the status code be different in case origin is allowed (and corresponding headers will be set) or not allowed (and CORS headers will not be set or will not match the origin)? The gist of it is, just use 200 . A little more generally: You should just send back the same status code for the CORS preflight OPTIONS request that you’d send back for any other OPTIONS request. The relevant specs don’t require or recommend anything more than that. As far the

I have followed this step to setup my server to enable CORS. https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api But now in my browser dev console, I see this error message: XMLHttpRequest cannot load https://serveraddress/abc . Response for preflight is invalid (redirect) Do you know what can I do to fix it? I am making a CORS request in HTTPS. I think that is causing the 'preflight is invalid (redirect)' failure. But I don't know why or what is redirecting the OPTIONS request. Thank you. Your code is triggering your browser to send a