Why does CORS block user default headers?

Question

Why does CORS block user default headers?

I assume that the standard blocking of custom headers in cors requests is to prevent any kind of attack.

Is this assumption correct? If so, what kind of attack?

from https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS

A request is sent to CORS before the flight using the OPTIONS method, so that the server can respond if it is permissible to send a request with these parameters. The Access-Control-Request-Method header notifies the server as part of the pre-sale request that when the actual request is sent, it will be sent using the POST request method.

+4

javascript security cors

Colbeseder Jul 11 '17 at 21:37

source share

1

sideshowbarker · Accepted Answer · 2017-07-11T22:02:58+0000

-origin , - XHR/Fetch- - , , , img, script link.

HTML- A img, script link, , script B, , script B.

, XHR/Fetch , , , img/script/link.

, - , - , /, , - , - img/script/link.

CORS - - , . , , , - Access-Control-Allow-Headers // , Cross-origin XHR/Fetch .

, Access-Control-Allow-Headers, , arent - XHR/Fetch- JavaScript, - /, .

, "CORS", . , , , https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy https://en.wikipedia.org/wiki/Same-origin_policy. , CORS - , , , .

Why does CORS block user default headers?

More articles: