Sorry if this is formatted improperly or posted in the wrong place.

Requested feature overview description.

Background:

When accessing cross-domain resources, web browsers (Firefox, Chrome) are supposed to send an OPTIONS pre-flight request to verify the headers and method are valid before sending the actual request. If the OPTIONS preflight passes, the actual request is sent. If the OPTIONS pre-flight fails, the actual request gets blocked by the browser.

My issue:

I have a website that accesses the API from a different domain (github.io page). For authorization, I currently use URL parameters, which do not trigger a OPTIONS pre-flight request. However, when trying to update authorization to use HTTP Basic Auth, an OPTIONS pre-flight request is sent to verify the authorization header. Currently, the API 404's OPTIONS requests (Tested on GET https://e621.net/posts.json and POST https://e621.net/post_sets/<setID>/add_posts.json). The 404 is considered a pre-flight failure so the browser does not send the actual request.

Avoiding the OPTIONS pre-flight is not an option in this case (https://stackoverflow.com/a/29954326).

Requested Feature:

Update the API to handle OPTIONS requests to accept the Authorization header.

Why would it be useful?

This change would allow cross-domain API requests to use a more secure authorization method, as recommended on the wiki.

What part(s) of the site page(s) are affected?

All API URL's for the OPTIONS method.

I ran into this exact issue back in August, when I was working on the tagme.dev project.
I think, the answer was something along the lines of "no idea why it's happening, just authorize via the URL parameters".