You can actually just make an XMLHttpRequest that's the same as what the form would do; CORS won't block the request going through to the server, it just blocks the javascript seeing the response:
The only time the request is made by default is when it falls in to the "simple" category, which as far as I'm aware, is limited to
- GET requests
- That only include known header fields
In all other cases, you fall into the other bucket. In that case the browser will make a preflight options request (without any data) to check the CORS response headers configured by the server. Only then, if allowed by the response headers, will the browser actually make the POST.
---
Ok, I went and looked, apparently you can send POSTS, you just can't send application/json, only one of the default form content types (text/plain is one, though).
So I'm wrong - At least for Firefox, this would likely be the same request with the same behavior.
Does it? I mean, the returns the response to the browser, but I believe the browser then renders that new page, which should be harmless since the server isn't going to return a malicious page.
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Simpl...