Why is my cross-domain POST request programmed with an OPTIONS request?

According to the Mozilla HTTP access control Developer Center, cross-site POST requests can be "simple" - i.e. do not require preliminary verification - if the Content-Type request is application/x-www-form-urlencoded .

I do not get this behavior in Firefox, and I do not understand why this is so. Here is my installation code:

 function makeXDomainRequest(url, method, data) { var req = typeof XDomainRequest !== "undefined" ? new XDomainRequest() : new XMLHttpRequest(); req.open(method || "GET", url, true); if (typeof req.onload !== "undefined") { req.onload = onResponseLoad; req.onerror = onRequestError; } else { req.onreadystatechange = onRequestStateChange; } if (data && typeof req.setRequestHeader === "function") { req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); } else { // no way to set Content-Type req header in IE XDomainRequest: // http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx } req.send(data || null); } function onResponseLoad() { alert("Response!\n" + this.responseText); } function onRequestError(args) { alert("Error!"); } function onRequestStateChange() { if (this.readyState === 4) { if (this.status === 200) { onResponseLoad.apply(this); } else { onRequestError.apply(this); } } } 

And here is the server on which I ping:

 // thanks to http://saltybeagle.com/cors/ for having this demo endpoint: var URL = "http://ucommbieber.unl.edu/CORS/cors.php"; 

Now, if I make a simple POST request - with data sent as application/x-www-form-urlencoded in the above code, the request is predefined in Firefox with an OPTIONS request. In Chrome, this is not preceded. Open Fiddler before starting this to see for yourself:

 makeXDomainRequest(URL, "POST", "name=foobar"); // alerts "Response! Hello CORS [...] You sent a POST request. Your name is foobar" 

Here is the preflight OPTIONS request in Fiddler (pay attention to the Access-Control-Request-Method: POST header, even if I indicated the supposedly safe Content-Type and without custom headers):

 OPTIONS http://ucommbieber.unl.edu/CORS/cors.php HTTP/1.1 Host: ucommbieber.unl.edu User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Origin: http://localhost Access-Control-Request-Method: POST 

What's happening? Is this a bug in Firefox, or am I doing something wrong? Thanks!