This article came to my mind when I was learning about content-type. Why do simple requests and non-simple requests distinguish different content-types, specifically which three? On what basis?

How do I distinguish simple/non-simple requests?

Browsers treat simple and non-simple requests differently in cross-domain requests:

Simple request:

  • Method: HEAD GET POST
  • The request header does not exceed the following fieldsAccept, accept-language, content-language, last-event-id, DPR, Downlink, save-data, viewport-width, Width, content-type: Application/X-www-form-urlencoded, multipart/form-data, text/plain are limited to three values

Non-simple request

A request that does not meet both of these conditions is a non-simple request. The browser does a pre-check request for non-simple requests. The precheck request sends the request mode, request header, and Origin of the request to the server, asking whether the server allows the request to be sent.

Why distinguish between simple and non-simple requests?

There are many questions about these limitations on simple and non-simple requests, and the reasons for the distinction between simple and non-simple requests are understood as follows:

For cross-domain requests, the server usually returns a CORS response header to tell the browser whether to allow the cross-domain operation. However, for some requests that directly modify or create new server resources, such as PUT DELETE, the server resources will be damaged before the response is returned. In response to this request, the browser needs to first perform a pre-check request, asking the server whether to allow the request, to achieve the purpose of protecting the server resources.

Later, I began to wonder if a Post request with a Content-Type of multipart/form-data would also modify server resources. Why classify it as a simple request?

After reading an article, why does CORS distinguish between “simple requests” and “precheck requests”? “And discovered that it might not be that simple.

  • Demarcating the basis for simple/precheck cross-domain requests

Traditional HTML forms make POST, GET, and HEAD requests without scripts. Content-type can be text/plain, multipart/form-data, and Application/X-www-form-urlencoded to send cross-domain requests (urls). In short, browsers do nothing to limit cross-domain requests in these forms.

Other forms of request cannot be implemented by normal forms and require scripts to add custom headers or methods (PUT, etc.) that the form itself cannot implement.

Use this to differentiate simple/precheck requests.

  • Why precheck non-simple cross-domain requests?

The reasons are as follows:

  1. To reduce the impact of non-simple cross-domain requests on the server (as mentioned at the beginning, the server sometimes does not want to ignore cross-domain requests), such as PUT and DELETE requests can directly create or modify or DELETE resources in the server. A precheck request prevents this from happening.

  2. Reduce the amount of computation the server has to do to determine whether to cross domains

For cross-domain requests that are not simple requests, the server calculates whether the request is cross-domain based on the precheck request. If the precheck request passes, the formal request does not need to be calculated again. And after a precheck request passes, each subsequent request will only send a formal request. Saves a lot of computation on the server side.

  • Why not precheck simple cross-domain requests?

The reasons are as follows:

  1. As mentioned from the beginning, forms can implement simple cross-domain requests that browsers can’t limit.
  2. There is no need to pre-check simple requests. For example, some POST requests just want to log and do not require a response from the server, but if the precheck request is added, it cannot be done without passing the precheck request. There are also GET and HEAD requests that just want to GET the resource and do not modify the resource, and they do not affect the server if they do not GET the response. In this case, adding precheck requests only adds to the burden on the server

Why not distinguish between simple form cross-domain requests and simple non-form cross-domain requests?

In the first place, forms are used to distinguish between simple form cross-domain requests and simple non-form cross-domain requests. How about prechecking requests for non-form simple cross-domain requests? Is that perfect? (smile).

Here’s why:

  1. By doing this, the server defaults to allowing forms to be requested across domains.

  2. It is also not necessary to precheck other simple non-form cross-domain requests, which do not have an unimaginable impact on the server and require the server to perform additional precheck responses.

  3. The server also needs to distinguish between form/non-form cross-domain requests.