AJAX requests (XHR) follow SOP rules.

CORS

Cross Origin Requests, is a mechanism to bypass SOP for cross site interfacing needs. Cors uses HTTP control access headers to complete this task. The headers are not part of the HTTP1.1 standard.

Requests that utilize CORS:

• Ajax: through XMLHttpRequest API

• Web Fonts: Cross domain font inclusion with @font-face in css

• WebGL textures

• Images: drawImage API

Request types:

• Simple

• Preflight

• Requests with Credentials

Simple:

Uses GET/HEAD/POST. No custom headers (outside of 1.1 specs) can be used. For POST request the Content-Type must be one of: - application/x-www-form-urlencoded - multipart/form-data - text/plain

Only one HTTP request needs to be sent to complete the request.

Preflight:

Request that fall outside of Simple. PUT/POST(with Content-type: application/xml) or a GET request with a custom header. Before sending the main CORS request first an OPTIONS request must be sent to verify that it is safe to send the CORS request. The server will respond with the Access-Control-Max-Age header to verify the OPTIONS req.

Two HTTP request need to be sent to complete the request.

Example AJAX func:

Example Preflight:

Allowed:

Reqs with Creds:

By default Ajax CORS requests dont pass credentials. If the developer decideds to send auth or cookies then the withCredentials Flag will be set.