Yes. The request has to be made to the server, because the server could add the cors header, which will allow it to proceed as normal.
Its a chicken an and egg situation, the browser doesn't know if it can technically 'allow' the request, without actually performing it. The browser makes the original request inert from the client application prespective, ie the potentially malicious app is not allowed to access the results unless the server says its ok. So in this case that the request actully does something server side, its also upto that server to also decide if it wants to honour the request. It could check the referer (but only use it as a signal, dont rely on it not being spoofed) - or use other means to verify the request (eg CSRF tokens) On 1 September 2013 16:09, Abhishek Das <[email protected]> wrote: > Link to the question: > http://stackoverflow.com/questions/18558695/cross-origin-request-being-made-without-cors > > Somehow, we are able to make a cross origin XHR request on Chrome (latest > stable) & Firefox without using CORS or anything of the sort. I am puzzled > by this, hence this question. > > Make an XHR Post Request to > http://partychat-hooks.appspot.com/post/p_mwe2ztni with the data: > > {body:"Some text"} > > If you are on a JQuery enabled site, just type $.post(" > http://partychat-hooks.appspot.com/post/p_mwe2ztni",{body:"Hello World"}) on > the console. > > The request goes from "Pending" to "Cancelled" over in the network tab. > The browser even gives us a warning about 'Origin not being allowed by > Access-Control-Allow-Origin". However, wireshark tells me that the request > is actually getting made. (and is confirmed by a ping on the chatroom (join > us at [email protected] to see it). > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/google-appengine. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/google-appengine. For more options, visit https://groups.google.com/groups/opt_out.
