CORS and preflight requests

[BehindTheMath]

• Insomnia Version: 5.12.4
• Operating System: Windows 10 x64

Details

Currently, Insomnia ignores any possible CORS issues, and always sends the request as is.

It would be nice to have the option to enable a strict CORS mode, where Insomnia would mirror the current behavior of browsers, by following the CORS spec and performing the following steps:

1. Check if the request requires a preflight request.
2. If yes, send a preflight request first.
3. If the server responds with an error, display that and abort the request.
4. If server responds with a preflight response, check the original request against the preflight response.
5. If it's valid, send the actual request and proceed as is done currently. (Also show the preflight request and response in the Timeline).
6. If it's not valid, display an error explaining why, and abort the request.

This would be valuable for testing and debugging CORS issues.

[welcome[bot]]

👋 Thanks for opening your first issue! If you're reporting a 🐞 bug, please make sure
you include steps to reproduce it. If you're requesting a feature 🎁, please provide real
use cases that would benefit. 👪

To help make this a smooth process, please be sure you have first read the
contributing guidelines.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[BehindTheMath]

@insomnia I never received any response as to the viability of such a feature. Is this something you would consider adding to Insomnia?

[gschier]

Sorry I missed this one @BehindTheMath!

If someone with knowledge of CORS wants to take this one on I'd be happy to help get it to a releasable state.

[Pettrie]

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[BehindTheMath]

I think this is still a viable feature, and should not be marked stale.

[shutterstein]

I agree that this would be a viable feature. Sure wish I had it right now as we are working with some of these issues.

[achempak-polymer]

For what it's worth, you can simulate a preflight request by doing an OPTIONS request with your target host domain in the Host header, your target request type in the Access-Control-Request-Method header, and your target request headers in the Access-Control-Request-Headers header. See this Stack Overflow answer for more details.

Since Insomnia allows chaining requests (not sure how it works, though, since I've never tried it), you could make this request take place before all other requests, which would effectively simulate browser behavior.