On Thu, Feb 5, 2015 at 2:44 PM, Takeshi Yoshino <tyosh...@google.com> wrote:
> IIUC, CORS prevents clients from issuing non-simple cross-origin request > (even idempotent methods) without verifying that the server understands > CORS. That's realized by preflight. > Incorrect, the browser will perform idempotent requests (for instance <img> or XHR GET) across domains without a preflight request. It will however not make the data available to the client (javascript specifically) unless CORS is satisfied (XHR GET will error out, and <img> will throw a glError on gl.texImage2D if CORS isn't satisfied).