Prevent preflight OPTIONS when using sub domains

Solved this using the iframe technique which seems to be what Facebook / Twitter do.

Steps below:

1) Set the document.domain to be the root domain. So given the url http://site.mysite.com/ I set the domain in JavaScript like document.domain = 'mysite.com';

2) Setup an iframe which pulls a HTML file from the API Domain.

<iframe id="receiver" src="http://api.mysite.com/receiver" style="position:absolute;left:-9999px"></iframe>

This is set to be positioned so it can't be seen.

3) Set the HTML of the receiver page to set the domain:

<!DOCTYPE html><body><script>document.domain='mysite.com'</script></body></html>

4) Added an onload event to the iframe to capture the window once its loaded.

onload="window.tempIframeCallback()"

5) Assign the child window to a variable.

window.tempIframeCallback = function() {
  window.childWindow = window.receiver.contentWindow;
}

6) Make the XMLHttpRequest() from the childWindow instead of the main window. 

var xhr = new window.childWindow.XMLHttpRequest();

Now all requests will be sent without a preflight OPTIONS request.

7) When using jQuery, you can also set the source of xhr in the settings:

$.ajax({
  ...
  xhr: function() {
    return new window.childWindow.XMLHttpRequest();
  }
});

As a complement to @Phill's answer that deserves all the credits, here is the final html code, that also exposes the iframe's fetch function:

<!DOCTYPE html>
<html><body>
<script>
    document.domain = 'mysite.com';
    window.setupAPI = function() {
        var receiverWindow = window.receiver.contentWindow;
        // you may also want to replace window.fetch here
        window.APIfetch = receiverWindow.fetch;
        // same thing, you may as well replace window.XMLHttpRequest
        window.APIXMLHttpRequest = receiverWindow.XMLHttpRequest;
    }
</script>
<iframe id="receiver" 
        src="http://api.mysite.com/receiver" 
        style="position:absolute;left:-9999px"
        onload="window.setupAPI()"></iframe>
</body></html>

And of course the HTML "http://api.mysite.com/receiver" should retrieve:

<!DOCTYPE html>
<html><body><script>
    document.domain='mysite.com';
</script></body></html>

And then, within your JS code, you can now use APIfetch and APIXMLHttpRequest like you'd use fetch and XMLHttpRequest ... et voilà, no more preflight request whatever the method and content type used!

Tags:

Javascript

Ajax

Cors

Preflight

Recent Posts