07 February 2018
That's not true.
Browsers will send the preflight request (OPTIONS) as soon as it's not considered a simple request, and for that there's requirements.
Such requirements might make the usability of the API, at least from a browser APP, void.
A simple cross-site request is one that meets all the following conditions:
The only allowed methods are: - GET - HEAD - POST
Apart from the headers set automatically by the user agent (e.g. Connection, User-Agent, etc.), the only headers which are allowed to be manually set are: - Accept - Accept-Language - Content-Language - Content-Type
The only allowed values for the Content-Type header are: - application/x-www-form-urlencoded - multipart/form-data - text/plain
A simple request will not cause a pre-flight OPTION request.
For instance these requirements don't allow the Authorization Header to be sent, which right now, as far as I know, is the only way to do Authorization for your API.
It might be possible to send simple requests if you also allow the API to receive the token as a query param.