Sending a regular CORS request using cUrl:
curl -H "Origin: http://example.com" --verbose
https://www.googleapis.com/discovery/v1/apis?fields= The -H "Origin: http://example.com" flag is the third party domain making the request. Substitute in whatever your domain is.
The --verbose flag prints out the entire response so you can see the request and response headers.
The url I'm using above is a sample request to a Google API that supports CORS, but you can substitute in whatever url you are testing.
The response should include the Access-Control-Allow-Origin header.
Sending a preflight request using cUrl:
curl -H "Origin: http://example.com"
-H "Access-Control-Request-Method: POST"
-H "Access-Control-Request-Headers: X-Requested-With"
-X OPTIONS --verbose
https://www.googleapis.com/discovery/v1/apis?fields= This looks similar to the regular CORS request with a few additions:
The -H flags send additional preflight request headers to the server
The -X OPTIONS flag indicates that this is an HTTP OPTIONS request.
If the preflight request is successful, the response should include the Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers response headers. If the preflight request was not successful, these headers shouldn't appear, or the HTTP response won't be 200.
You can also specify additional headers, such as User-Agent, by using the -H flag.
shareimprove this answer edited Aug 29 '12 at 14:01 answered Aug 29 '12 at 13:42
monsur 19.6k66884 1 that page does not seem to return any CORS headers, is that correct? – Janus Troelsen Feb 24 '13 at 20:01
In order to view the actual headers, you need to add the --verbose option, as mentioned above. – monsur Feb 25 '13 at 14:24
Hmm, that may be a bug. Can you try the same request to the following url: server.cors-api.appspot.com/… – monsur Feb 25 '13 at 15:41
--verbose wasn't displaying headers for me either. I replaced it with "--trace-ascii -" – Bryan Larsen Sep 30 '13 at 15:00 2 or --head: curl -H "Origin: http://example.com" --head https://www.googleapis.com/discovery/v1/apis?fields= – John Bachir Apr 6 '14 at 5:30 1 Use --include to see the headers. – Mika Tuupola Feb 18 at 16:18
In the case of S3, the according headers are only added if the proper method is given, you can do so by using curl -H "Access-Control-Request-Method: GET" -H "Origin: http://example.com" -I https://s3.amazonaws.com/your-bucket/file. – Joscha Mar 2 at 2:13