I am trying to send a cross-origin request. As far as the
Chrome :- Access-Control-Request-Headers: origin, content-type, accept
Safari :- Access-Control-Request-Headers: origin, content-type, accept
Firefox:- Access-Control-Request-Headers: content-type
There are a lot of different things going on here, so I'll answer them one at a time.
Chrome and Safari are both based on WebKit, which is why you are seeing the same behavior in those browsers (Chrome is moving to Blink soon, but that isn't in the hands of users yet).
The latest CORS spec states that
Accept is a simple request header.
Origin is not included in the list of simple request headers, but it would be silly for it not to be supported since it is the foundation of CORS. So technically Firefox is doing the right thing.
However note that although Chrome/Safari include the
Origin headers, they do not verify that those headers are included in the
Access-Control-Allow-Headers response header. You can verify this by visiting the following link:
Note that the preflight request has the header
Access-Control-Request-Headers: accept, origin, but there is no
Access-Control-Allow-Headers in the response. And the actual CORS request still succeeds.
Content-Type header is considered a simple request header only when its value is one of the following:
text/plain. All other values will trigger a preflight. That is probably what you are seeing here.
I have no idea why browsers behave this way. It might be something worth asking on the WebKit or Firefox message boards. Here is the code where WebKit sets the
It seems to be listing out all the headers, without removing the simple headers. I imagine there is code on the response side that only expects non-simple headers in the