behind another origin. This is an OPTIONS request that the browser will use to check the policy. The default behaviour of CORS requests is that they are sent without any of these credentials. The 12th annual .NET Conference is the virtual place to be for forward thinking developers who are looking to learn, celebrate, and collaborate. The code of the function is like this: var https = require('https');module.exports = function (context, req) {var options = {hostname: 'mytargethost.atargetdomain.com',//port: 443,path: '/v1/tag',method: 'POST',headers: {'Content-Type': 'application/json','x-api-key' : 'abcdefghi'}};var fwdreq = https.request(options, function(res) {var data = "";//res.setEncoding('utf8');res.on('data', (chunk) => {data += chunk;});res.on('end', () => {context.res.body = data;context.done();});});fwdreq.on('error', function(e) {context.res.body = 'problem with request: ' + e.message;context.done();});fwdreq.end(JSON.stringify(req.body));}; So, an incoming requests triggers the creation of an https request itself. This proxy is hosted to appear as the same origin as the requestor: There are a plethora of ways to setup a proxy. From the perspective of'mytargethost.atargetdomain.com', it is not a cors request anymore, its a simple request from a client. While simple requests do allow the browser to bypass CORS Preflight OPTIONS calls, composing a useful simple request can be challenging, If you like this post, give it a Thumbs up. It also employs a method in which browsers send a "preflight" request to the server hosting the cross-origin resource to ensure that the real request is permitted. If the target server accepts the OPTIONS request and notifies the web application that it's allowed to securely call it, the The origin is checked against the service's CORS rules to determine the success or failure of the preflight request. If your call pattern requires custom properties, such as auth tokens, custom metadata headers, etc. Resources/domains could only interact with resources from their own / parent domains back then. Monitoring API failures in production is very hard. the change is properly impacting your end-user's perceived performance. If your web product has performance issues Collect a Trace and send it to me at joe at webperf.tips and you could be featured in an article! It was required to give a solution for scenarios when one needed to "cross" origins on a webpage as soon as the same-origin policy was enforced. From a performance standpoint, this means that each HTTP communication with a backend of a different origin may require two roundtrips: one for In order to relax the same origin policy CORS helps modern browsers to achieve cross domain resource access. one-time setup cost on initializing the