Browsers allow changing the current document.domain to a super-domain. There are two important things to notice here: First we need to expose a new endpoint in our API that returns the following HTML. However, we can avoid the preflight request with a simple iframe. Making a request from the APP to the API will trigger a preflight request because the subdomains are different. Lets say you have a public API on and a user-facing site (the APP) on. This solution works only when both the site and the server share the same base domain.
Avoiding CORS RequestsĪs usual in the world of web development, there are ways to work around the restrictions imposed by browsers. However, we are committed to having clean APIs so this is not an option for us. We could make it work by sending _method attribute to route the requests and by using text/plain content type, despite the contents being in JSON format.
#ORIGIN DOWNLOAD SLOW PATCH#
We also use other HTTP methods like PUT, PATCH and DELETE.
In our case, most of our APIs expect JSON payloads.
The picture on the left shows timings of a preflight request that was sent from an Eastern European location to a server which was located in the Western US. In a development environment where everything is running on the same machine, this request is almost instant, but the story is very different in the wild world.