{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 ゆ 、 Hurt° 的问题《In CORS, Are POST request with credentials pre-fli》','https://www.manongdao.com/q-837109.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
In MDN Access Cotrol doc, GET request with credentials are not preflighted. But if response headers doesn't include Access-Control-Allow-Credentials: true then response will not be available to the invoking client. If this behaviour same for POST (Simple POST request with credentials - Content Type may be form-data) request as well, there is risk that POST might change the server state though response may not be made available to client. Is this assumption correct?
OR POST request with credentials pre-flighted?
Preflight requests are intended to stop the browser from sending certain kinds of requests to a server unless the server explicitly allows it. However, browsers could already send credentialed POST requests directly to the server prior to the advent of CORS support.
The "Security Considerations" part of the CORS spec says (emphasis mine):
In other words, the ability to have credentialed POST requests reach the server without a preflight is nothing new: developers have been able to make it happen ever since browsers supported
<form>s. Therefore, there is no benefit to requiring a preflight for Ajax that includes credentialed POST requests.