I’d like to understand this a bit better. The mental model I’m operating with at the moment works something like this:
- JS hosted at foo.com wishes to access a resource hosted at bar.com. That’s not the sort of thing that browsers like to expose their users to, unless it can be shown that bar.com welcomes this request.
- So the foo.com JS essentially breaks the request into two halves. First we send a dataless request of the proper kind (GET, POST, etc) via the XMLHttpRequest object. The server at bar.com returns what it would ordinarily respond to basically any request, which might or might not include an Access-Control-Allow-Origin header. (EDIT: This was a misconception – see excellent comment by apsillers below)
- If the browser does get such a header, it scans it for the Origin (in this case foo.com). If present, it proceeds to send off the actual request that it was asked to send. If not, it refuses. (EDIT: This was also not quite right)
If this model is correct, I’m confused as to why the browser sends out an Origin header with this preliminary request. Doesn’t the checking-for-a-match happen client side? What does sending out this header achieve?
It is how CORS works. It is basically a handshake that says yes you are welcome to talk with me. You can not know if it is possible unless the 3rd party is contacted.
The following is a partial portion of the Preflighted_requests section of the MDN article: