Although disadvantages of performance, why browsers introduced preflight requests for CORS?
TL;DR: The key insight to preflight requests is to not put any changes and risks on the existing server. Using preflight requests in an opt-in way, servers can introduce cross-origin requests mechanism without breaking the existing semantics of the web.
Browsers could not send ajax requests to cross-origin due to the same-origin policy. The limitation was due to security issues. For example, A form on-site a.com can be submitted to b.com with the user's cookies and do damage.
But over time, The Cross-Origin requests became necessary, such as communication with API-gateway. So, The way to make it possible had begun to be discussed, CORS.
However, if cross-origin requests that were not possible became possible in browsers, servers were exposed to the security issues that have been excluded so far. The developers of CORS felt that there were enough servers out there that were relying on the assumption that they would never receive. They thought that simply enabling the cross-origin requests would break down many existing apps.
So, the developers of CORS made it in an opt-in way. Regardless of whether the server aware of the cors or not, the existing server doesn’t change. If CORS is needed, just respond to preflight requests with CORS headers.
This is why browsers introduced preflight requests for CORS although the disadvantage of performance.
