Presenters versus preflight requests (BC break)

David Grudl
Nette Core | 8173

If you are making AJAX requests to another (sub)domain, you may notice that the browser creates two requests with the same URL. The first of these requests uses the OPTIONS method and is known as a “preflight request”. Its purpose is to verify if the target server is configured to allow the AJAX request from the originating domain. You can find more information about this mechanism on MDN web docs.

However, this preflight request can lead to various unintended situations, especially if the presenter does not anticipate the OPTIONS method and thus performs a regular action for which the caller should not have permission. Therefore, starting from version nette/application v3.1.13, there is a restriction where presenters check that the HTTP method is one of the following: GET, POST, HEAD, PUT, DELETE (PATCH will be added later).

If your presenter expects and processes the OPTIONS method, it's important to add it to the allowed methods:

class MyPresenter extends Nette\Application\UI\Presenter
    protected function checkHttpMethod(): void
        $this->allowedMethods[] = 'OPTIONS';