Hacker News new | comments | show | ask | jobs | submit login

The request is still made regardless, your JavaScript just won't be able to access the response without a CORS header set.

The request isn't actually made (at least not your request). The browser sends an OPTIONS request to get the CORS policy and then will block your request if its not allowed.

Edit: My above comment is slightly incorrect. If the request is "simple" it will be made and then you'll be blocked if it doesn't fit the CORS policy. If the request is not deemed "simple" (according to some rules you can look up in the spec) then the OPTIONS flow occurs.

Ah I see. I wondered if it dd some such thing. That's good to know.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact