When browsers send AJAX-JSONP requests, they often send a “preflight request” before the JSONP call. This request is a HTTP OPTIONS call asking the server whether it supports the cross origin resource sharing specification (in other words, JSONP requests).
To test a server’s support for cross origin resource sharing (CORS), you can use the cURL utility to emulate a HTTP OPTIONS request. A server that supports CORS will return a number of Access-Control headers specifying the requests it supports. Here’s an example cURL command:
curl -H "Origin: http://www.example.com" \ -H "Access-Control-Request-Method: POST" \ -H "Access-Control-Request-Headers: X-Requested-With" \ -X OPTIONS --verbose \ http://ip.jsontest.com/
Here’s an example of a proper CORS preflight response:
Access-Control-Allow-Origin is set to a wildcard, which means that all domains are permitted to make requests to it. Access-Control-Max-Age means that the results of this preflight request can be saved for 86,400 seconds (1 day). Access-Control-Allow-Methods means that GET and POST requests are supported.