Problem when making AJAX DELETE request by sending JSON

No (*). When the browser is sending AJAX requests for a service, it will send all cookies related to the service domain. To protect the scenery where you navigate to http://site.malvado.com/, and the site sends a DELETE (or POST, or PUT) to http://seu.banco.com/contas, If the site uses a simple authentication mechanism based on the presence of a user cookie, then the site will delete your accounts. To prevent this type of attack, when a (modern) browser is sending requests to a domain other than the one on the page, it follows the cors protocol, that requires an OPTIONS request. If the server is aware of the possibility of these attacks (i.e., does not use a form of authentication that is vulnerable), then it will enable the CORS and will be able to respond to OPTIONS requests. If the service does not accept OPTIONS, then it is possible that it is not prepared to deal with the attacks of cross-Domain.

(*) However, there are situations where you want to go over this restriction. A few options:

• use of a proxy in the same domain as your website: your page requests for a service in the application. Since the domain is the same as on the page, the CORS restriction does not exist. The browser will send cookies of your domain, and your server code (e.g., PHP, C#) can request the final service. Note that you will not have any of that domain’s cookies, which "saves" the attack service
• use of some plug-in in the browser: depending on the implementation of the plug-in it may have access to all cookies, and in its implementation, it has no restriction of CORS. But this solution requires the user to install the plug-in on your machine, which greatly limits its use.