node.jsexpresshttpcorspreflight

how does an OPTIONS request get handled if `preFlightContinue` is used


I realized I don't fully understand how an "preflight OPTIONS request" is handled by Express, this is a standard setting:

const cors = require('cors');

const app = express();

app.use(cors({
  preflightContinue: true  // here
}));

I have 3 questions:

  1. what exactly is the difference between preflightContinue: true and preflightContinue: false

  2. Which is the default express setting? - my guess is the flag defaulted to false

  3. Most importantly: with preflightContinue: true, when/how does the OPTIONS request get responded to? Is it magically responded to with the normal request?


Solution

  • This option allows you to manufacture a response to preflight requests with your own middleware after the necessary headers have been set. See the source code.

    A (completely artificial) example for this would be setting a non-standard header in preflight responses, like here:

    app.use(cors({preflightContinue: true}))
    .options("*", function(req, res) {
      res.set("X-Preflight-Response", "true").end();
    });
    

    A better reason why this option is needed can be found in https://github.com/expressjs/cors/issues/305#issuecomment-1761041281.