http://www.w3.org/TR/cors/#cross-origin-request-0
> 2. If the following conditions are true, follow the simple cross-origin request algorithm: > - The request method is a simple method and the force preflight flag is unset. > - Each of the author request headers is a simple header or author request headers is empty. > 3. Otherwise, follow the cross-origin request with preflight algorithm. https://fetch.spec.whatwg.org/#dfnReturnLink-7 > request's unsafe request flag is set and either request's method is not a simple method or a header in request's header list is not a simple header > Set request's response tainting to CORS. > The result of performing an HTTP fetch using request with the CORS flag and CORS preflight flag set. Authorization header is not a simple header. On Thu, Feb 5, 2015 at 10:48 PM, Florian Bösch <pya...@gmail.com> wrote: > On Thu, Feb 5, 2015 at 2:44 PM, Takeshi Yoshino <tyosh...@google.com> > wrote: > >> IIUC, CORS prevents clients from issuing non-simple cross-origin request >> (even idempotent methods) without verifying that the server understands >> CORS. That's realized by preflight. >> > > Incorrect, the browser will perform idempotent requests (for instance > <img> or XHR GET) across domains without a preflight request. It will > however not make the data available to the client (javascript specifically) > That's the tainting part. > unless CORS is satisfied (XHR GET will error out, and <img> will throw a > glError on gl.texImage2D if CORS isn't satisfied). >