OPTIONS
The Method OPTIONS
is a method HTTP
, which is used to find out which request options are allowed for certain server resources, so this request is made before the others, to find out which permissions you accept.
In this request, the server returns a list of headers, containing some data, but can also return an error if it has no request for the resources.
This can be done in two ways, the first is by specifying a URL
in the request for a specific analysis:
OPTIONS /index.html HTTP/1.1
The other way is to asterisk (*), which refers to resources as a whole:
OPTIONS * HTTP/1.1
This request is initially made to find out the permissions offered for the resources, so you can use the other requests without returning an error.
For a simple request, you can use the CURL
, to send this confirmation request, for example:
curl -X OPTIONS http://index.html -i
In this request, by default, if there are fields allowed, the server will return a header of the type Allow
, which indicates which methods you accept and have request permission, but return the data only as information:
HTTP/1.1 200 OK
Allow: OPTIONS, GET, HEAD, POST
Cache-Control: max-age=604800
Date: Thu, 13 Oct 2016 11:45:00 GMT
Expires: Thu, 20 Oct 2016 11:45:00 GMT
Server: EOS (lax004/2813)
x-ec-custom-error: 1
Content-Length: 0
If no requests are allowed, the server will return an empty header, which may occur temporarily for some resource.
The information of OPTIONS
, are made only in this request, to indicate which methods you accept to do. It is not used for sending confirmation.
CORS
It is a specification used to set resource exchanges between browser and server, securely, not allowing scripts to cross-source requests.
A requisition, made with CORS
, is used to know if the server allows a specific request type, informing the parameters to be analyzed, ie a "custom" permission check for the server.
Here, has a list of headers CORS
that can be used
in a request.
An example, a request is created to know if a specific request you use POST
and has custom headers is accepted. Headers are used Access-Control-Request-Method
, to the POST
and the Access-Control-Request-Headers
, for the custom headers:
OPTIONS /resources/post-here/ HTTP/1.1
Host: bar.other
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Origin: http://foo.example
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-PINGOTHER, Content-Type
From this "custom" request, the server analyzes and, if allowed, returns with the headers, informing if the headers of the specific fields informed may be requested. That answer is similar to an answer Allow
.
HTTP/1.1 200 OK
Date: Mon, 01 Dec 2008 01:15:39 GMT
Server: Apache/2.0.61 (Unix)
Access-Control-Allow-Origin: http://foo.example
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
Access-Control-Max-Age: 86400
Vary: Accept-Encoding, Origin
Content-Encoding: gzip
Content-Length: 0
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/plain
The mechanism CORS
, supports secure cross-source requests, which are requests with origin (domain, protocol, and port) different from their own origin. With this, the request passes through the authentication made by the server and returns the result, to request a cross request.
In a request with CORS
, the browser makes a request, where specific headers are passed, for example a header Access-Control-Request-Method
, that will require methods that are allowed and the server will respond with Access-Control-Allow-Methods
, that is, the browser requests a confirmation, the server responds with a header, stating what is allowed and with the return, the browser checks the returned data, if compatible, the browser will release the cross request, between different domains.
Compatibility
All browsers have basic support for this type of request, both mobile and desktop browsers:
Read More
It seems to me that your answer explains what the
OPTIONS
but does not explain exactly what should be returned in this type of request, by his reply, I understood that in this type of request only need to return the headerAllow
, nothing else, is that correct?. In practice what is the difference betweenAllow
andAccess-Control-Allow-Methods
?– Costamilam
That question "This information should be sent only in these requests or in the other?" refers to requests of the type
OPTIONS
and not to CORS– Costamilam
@Guilhermecostamilam made some changes to the text
– Gabriel Gonçalves
In the links you passed is written "Responses to the OPTIONS method are not cacheable", if the answer cannot be cached because, in your example, you have cached?
– Costamilam
@Guilhermecostamilam really, it is not "cacheable". Only that this type of request, brings what is released and what can be used. The example, came from the MDN site itself. It is so much that if you use the cmd
curl -X OPTIONS https://developer.mozilla.org -i
, pointing to their website, will also return a header with similar information.– Gabriel Gonçalves