For a pre-flighted request (triggered for example when the X-Requested-With header is set), any data returned by the preflight request is prepended to the actual request data. In the given url, a cross-domain request is triggered to a simple echo resource. The output for this resource is static, and sets the Access control headers to enable cross-origin requests: curl -i 'http://131.243.44.83/maschup/webkit_xdr_bug.pl' HTTP/1.1 200 OK Date: Tue, 30 Mar 2010 21:34:50 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny8 with Suhosin-Patch Access-control-allow-headers: X-Requested-With Access-control-max-age: 1728000 Access-control-allow-origin: * Access-control-allow-methods: * Vary: Accept-Encoding Content-Length: 4 Content-Type: text/plain echo The output from this echo script is always static, and always returns the Access-Control headers. When a cross-domain request is triggered from within a recent webkit (i.e. nightly webkit, or Chrome), the responseText contains the body from the preflight request as well as the body from the actual request. This can be seen at the page given in the URL (http://jbei-exwebapp.lbl.gov/maschup/webkit_xdr_bug.html). The HTTP specifications don't seem to say what the user-agent should do with the body of the request. Firefox (3.6.2) returns only the body from the actual request, and Safari (4.0.5 (5531.22.7) OS X 10.5) also returns only the body from the actual request.