On Thu, Feb 5, 2015 at 2:44 PM, Takeshi Yoshino <tyoshino@google.com> wrote:
> IIUC, CORS prevents clients from issuing non-simple cross-origin request
> (even idempotent methods) without verifying that the server understands
> CORS. That's realized by preflight.
>
Incorrect, the browser will perform idempotent requests (for instance <img>
or XHR GET) across domains without a preflight request. It will however not
make the data available to the client (javascript specifically) unless CORS
is satisfied (XHR GET will error out, and <img> will throw a glError on
gl.texImage2D if CORS isn't satisfied).