According to
https://javascript.info/fetch-crossorigin#unsafe-requests
Safe headers – the only allowed custom headers are:
…
Content-Typewith the valueapplication/x-www-form-urlencoded,multipart/form-dataortext/plain.
If I understand the consequences correctly:
Sending a cross origin POST request with Content-Type header appliation/json will first trigger a preflight OPTIONS request, that needs to be handled correctly…before handling the actual POST request.
=> Why is application/json considered to be unsafe; what would be the risk of accepting the request directly?
(I already spend hours of trying to fix CORS settings and would like to understand the underlying issue.)
2
Answers
POST requests are considered to be unsafe because they are supposed to change things on the server.
For example: You don’t want Alice to visit Mallory’s evil site and have some Ajax there make an HTTP POST request to the Intranet for the company that Alice works for and create an appointment for Mallory to come to the office and get past security. Not do you want Mallory’s site to be able to delete all the messages in your webmail. Etc.
POST requests with content-types that you can set in the
enctypeattribute aren’t preflighted … but you could make those requests with a regular HTML form anyway (because regular HTML forms predate the idea of browsers implementing cross-origin security) so you already need explicit CSRF defences if you do anything with those content-types.It is about the question of the simple request or not-so-simple request.
Visit CORS: what's the purpose of Simple Request??