I realized I don't fully understand how an "preflight OPTIONS request" is handled by Express, this is a standard setting:
const cors = require('cors');
const app = express();
app.use(cors({
preflightContinue: true // here
}));
I have 3 questions:
what exactly is the difference between preflightContinue: true and preflightContinue: false
Which is the default express setting? - my guess is the flag defaulted to false
Most importantly: with preflightContinue: true, when/how does the OPTIONS request get responded to? Is it magically responded to with the normal request?
This option allows you to manufacture a response to preflight requests with your own middleware after the necessary headers have been set. See the source code.
A (completely artificial) example for this would be setting a non-standard header in preflight responses, like here:
app.use(cors({preflightContinue: true}))
.options("*", function(req, res) {
res.set("X-Preflight-Response", "true").end();
});
A better reason why this option is needed can be found in https://github.com/expressjs/cors/issues/305#issuecomment-1761041281.