Querying the server for resource capabilities
OPTIONS Method
Preliminaries
This note provides supplementary information about the server's implementation of the standard HTTP OPTIONS method to query resource capabilities, and to implement cross-origin resource sharing exceptions.
The OPTIONS
request was used historically as a programmatic way to query the server about which methods a resource is able to handle. This is still one of its roles.
With the advent of the cross-origin resource sharing protocol, the OPTIONS
method has been pulled into the additional duty of providing a mechanism for browsers to determine if any exceptions to the same-origin policy have been granted by the server.
Request/response handlers
The server's request/response cycle for OPTIONS
requests is fulfilled using this sequence of handlers:
Request Handler | Optional | Configurable | |
---|---|---|---|
1 | Server Name Indication | no | no |
2 | Hosts | no | yes |
3 | IP Access | yes | yes |
4 | Resource Masks | yes | yes |
5 | Raw Path | no | no |
6 | Cookies | no | no |
7 | Forbidden | yes | yes |
8 | Cross Origin | yes | yes |
9 | RBAC | yes | yes |
10 | Allow | no | no |
Dynamic Handler | Optional | Configurable | |
11 | Router | yes | yes |
Response Handler | Optional | Configurable | |
12 | Content Length | no | no |
13 | Status Codes | no | yes |
Status codes
OPTIONS
requests always return status code 200
.
For reference purposes, refer to IETF RFC 7231 Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content section 4.3.7 for the basic protocol expected of HTTP OPTIONS
requests.
Refer to the W3C publication Cross-Origin Resource Sharing, dated January 16, 2014, for how the CORS protocol works.