> 2. If the following conditions are true, follow the simple cross-origin
request algorithm:
> - The request method is a simple method and the force preflight flag is
> - Each of the author request headers is a simple header or author request
headers is empty.
> 3. Otherwise, follow the cross-origin request with preflight algorithm.

> request's unsafe request flag is set and either request's method is not a
simple method or a header in request's header list is not a simple header
>   Set request's response tainting to CORS.
>   The result of performing an HTTP fetch using request with the CORS flag
and CORS preflight flag set.

Authorization header is not a simple header.

On Thu, Feb 5, 2015 at 10:48 PM, Florian Bösch <> wrote:

> On Thu, Feb 5, 2015 at 2:44 PM, Takeshi Yoshino <>
> wrote:
>> IIUC, CORS prevents clients from issuing non-simple cross-origin request
>> (even idempotent methods) without verifying that the server understands
>> CORS. That's realized by preflight.
> Incorrect, the browser will perform idempotent requests (for instance
> <img> or XHR GET) across domains without a preflight request. It will
> however not make the data available to the client (javascript specifically)

That's the tainting part.

> unless CORS is satisfied (XHR GET will error out, and <img> will throw a
> glError on gl.texImage2D if CORS isn't satisfied).

Reply via email to