Table Of Contents

Types of Cross-Origin HTTP Requests

Last Modified: November 16, 2020

Cross-origin HTTP requests, either simple or non-simple, determine whether the browser asks the target web service before sending a request.

Simple requests are cross-origin HTTP requests that do not require prior approval from the target web service before the request can be sent by the browser. An HTTP request must meet the following criteria to execute as a simple request:

  • Use a GET, HEAD, or POST node to make the request.
  • Include only CORS-safelisted request-headers in the request.
  • Set the Content-Type request header to one of the following values:
    • application/x-www-form-urlencoded
    • multipart/form-data
    • text/plain

Non-simple requests are cross-origin HTTP requests that must get approval from the target web service to send the actual HTTP request. The web browser sends a CORS preflight request to the target web service to ask for approval. The response to the CORS preflight request determines if the web browser can proceed to send the actual HTTP request. A cross-origin HTTP request executes as a non-simple request if it violates any of the criteria for a simple request.

CORS also enables credentialed requests. Credentialed requests may use HTTP cookies and HTTP Authentication headers, or allow TLS client certificates. By default, browsers do not include credentials with a cross-origin HTTP request. However, you can use the Configure CORS node in a WebVI to include credentials with a cross-origin request. The Configure CORS node has no effect on same-origin HTTP requests.


Recently Viewed Topics