No 'Access-Control-Allow-Origin' but still processing

Question

I have two different servers and each have their own domain. I'm running an ajax script from one server to the other server. I am receiving the "No 'Access-Control-Allow-Origin'" error, BUT my server side script is still processing the request.

Is there a reason my server side script is processing the ajax request even though it is a CORS violation?

Update: Here is my code

var init,
    yourname,
    youremail,
    friendname,
    friendemail,
    message,
    url,
    data,
    request;

init = function() {
    yourname = $('input[name=yourName]').val();
    youremail = $('input[name=yourEmail]').val();
    friendname = $('input[name=friendName]').val();
    friendemail = $('input[name=friendEmail]').val();
    message = $('textarea[name=comments]').val();
    url = window.location.href;

    data ='yourName=' + yourname + '&yourEmail=' + youremail + '&friendName=' + friendname + '&friendEmail=' + friendemail + '&comments=' + message + '&url=' + url;

    request = $.ajax({
        type: 'POST',
        url: features.captureForm.processing,
        data: data,
        cache: false
    });

    request.done(function() {
        $('#form').css({'height':'0','overflow':'hidden'});
        $('#formHeader').find('h2').html('Thank you!');
        setTimeout(function(){
            HideShowForm.init();
            $('#form').css({'height':'auto'});
            $('#formHeader').find('h2').html('Send to a friend!');
        },3000);
    });

    request.fail(function() {
        console.log('Something went wrong');
    });
};

Answer 1

The request is sent and your server will process it as usual. Only its response will not be available for the client script. That is the point where CORS allows or denies anything, not when sending the request.

Answer 2

This is a simple misunderstanding of CORS on your part.

If the request is a "simple" cross-origin request (GET, POST, HEAD), it is no different than any cross-origin browser-based request that your server could have received before the CORS spec was drafted and implemented. The CORS spec wasn't designed to protect your server from such requests: it never was protected by default. If you want to discard such requests, you can look at the origin in your server code and simply not perform the requested operation if you prefer.

Non-simple cross-origin requests, such as PUT or DELETE requests, will invoke a "preflight" (OPTIONS) request by the browser, essentially asking your server "Is it ok to send this request?" Only if your server properly acknowledges will the underlying request will be sent. These types of non-simple cross-origin browser-based requests were not possible before the CORS spec, hence the additional layer of protection for older servers or those that don't want to opt-in to these new cross-origin requests.

Note that there are other factors that make a cross-origin request simple or not.