"Simple" requests are sent without a OPTIONS preflight check. It's because old style forms could always do a cross-origin request, so you have to protect against it anyway.

For the full definition of what is a "simple" request: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simpl...

EDIT: Lol @ jakear making an almost identical response with the same Mozilla link.