Since the OpenScope protocol uses the “application/json” and “application/octet-stream” Content-Type headers to indicate the data being transferred, an HTTP OPTIONS request is made automatically by the browser to the server.
The server will respond with the following headers:
- Access-Control-Allow-Origin: *
- Access-Control-Allow-Headers: Content-Type
- Access-Control-Max-Age: 86400
The server will respond with the body:
- “Options Response Successful”
A simple cross-site request is one that meets all the following conditions:
The only allowed methods are:
Apart from the headers set automatically by the user agent (e.g. Connection, User-Agent, etc.), the only headers which are allowed to be manually set are:
The only allowed values for the Content-Type header are:
Unlike simple requests, “preflighted” requests first send an HTTP request by the OPTIONS method to the resource on the other domain, in order to determine whether the actual request is safe to send. Cross-site requests are preflighted like this since they may have implications to user data.
Upon receiving the response from the HTTP OPTIONS request, the browser will execute the POST request.
Information from on the Mozilla Developer Network page on HTTP access control.