Simple CORS Requests

Cross-origin requests that don't trigger preflight

CORS (Cross-Origin Resource Sharing) controls which websites can make requests to your server. When you make a request to a different origin (domain, port, or protocol), the browser checks if the server allows it.

"Simple" requests don't trigger a preflight check. They're sent directly, and the browser checks the response headers to decide whether JavaScript can access the result.

What Makes a Request "Simple"?

Criteria Simple Request Triggers Preflight
Method GET, HEAD, POST PUT, DELETE, PATCH
Content-Type text/plain
multipart/form-data
application/x-www-form-urlencoded 		application/json
Headers Only "CORS-safelisted" headers Custom headers like Authorization

Simple GET Request

// This is a simple request - no preflight const response = await fetch('https://api.example.com/data'); // Browser checks these response headers: // Access-Control-Allow-Origin: * (or your origin) if (response.ok) { const data = await response.json(); }

For a simple request, the browser sends the request immediately. The server must include Access-Control-Allow-Origin in the response for JavaScript to access the data.

What Happens Without CORS Headers

// If the server doesn't include CORS headers... try { const response = await fetch('https://no-cors-api.example.com/data'); // This might succeed... const data = await response.json(); // ...but this will fail! } catch (error) { console.error('CORS error'); // Error: Cross-Origin Request Blocked } // The request WAS made - the browser just blocks // JavaScript from reading the response!

CORS is enforced by the browser, not the server. The request still reaches the server and executes — CORS just prevents JavaScript from reading the response.

Try It Live