I’m not new to CORS in the world of server admin but in the browser (Chrome 131, Windows) I am not as familiar.
I use a web app at tools.siteground.com. There is a button which when clicked uses fetch() to submit a PUT request to a separate domain, xyz.siteground.biz. When clicking the button the CORS request works, and in devtools’ network inspector we see the preflight and PUT requests both succeed with 200 status.
I want to replay this request in the browser on demand.
If I right-click the PUT request, I can “Copy as fetch” and paste it into the console. Since the original request was also a fetch() request, and I am pasting and running the same request in the console for the same document, it should operate exactly as if the page executed the request a second time. But, it fails.
When reviewing the network inspector we see a second preflight request, which succeeds, followed by the PUT request initiated in the console, which fails due to CORS error. The only notable difference from the prior, page-initiated, PUT request is the lack of any set cookies.
When reviewing the console error output, we see that a particular response header in the preflight response is considered problematic given that the request uses the header credentials:include
Q1: Why is there a second preflight request?
Q2: What exactly is going on here?
Q3: Is there any way to make it work in the browser or the only option is curl or similar?
