On Thu, Feb 19, 2015 at 11:45 AM, Anne van Kesteren <ann...@annevk.nl> wrote: > On Thu, Feb 19, 2015 at 11:43 AM, Brian Smith <br...@briansmith.org> wrote: >> 1. Preflight is only necessary for a subset of CORS requests. >> Preflight is never done for GET or HEAD, and you can avoid preflight >> for POST requests by making your API accept data in a format that >> matches what HTML forms post. Therefore, we're only talking about PUT, >> DELETE, less common forms of POST, and other less commonly-used >> methods. > > Euh, if you completely ignore headers, sure. But most HTTP APIs will > use some amount of custom headers, meaning *all* methods require a > preflight.
And you seem to forget that an HTTP API typically covers a large set of URLs (e.g. if you use remote database such as PouchDB). With CORS that requires at least one preflight per URL. -- https://annevankesteren.nl/