- From: Jonas Sicking <notifications@github.com>
- Date: Wed, 03 Feb 2016 10:41:41 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/210/179397266@github.com>
@mnot Could't a reverse proxy detect that the OPTIONS request is a CORS preflight by looking for OPTIONS requests that contain a `Access-Control-Request-Method` header and where the response contains a `Access-Control-Max-Age` header? But yes, the caching rules for such requests might get pretty complex. Is that the problem? Anyhow, I don't really have opinions regarding @wenbozhu's initial proposal vs. @mnot's OPTIONS-caching proposal. That seems more like a question for http gurus. My experience is though that developers tend to loath having to wait for additional roundtrips, which, if I understand correctly, both those proposals suffer from. Though likely doing additional roundtrips for preflights is probably more ok since developers try to avoid those anyway, and if they can be cached, it means that you just pay the cost once per URL. Though we already have situations where certain REST APIs end up doubling the number of requests that they do due to always using unique URLs for each request. Tripling the number of requests would likely not be popular. Regarding having a server-wide opt-in to credential-less requests, as @annevk talks about, I still think that would be an interesting idea. Does anyone have data on how often people make CORS requests with credentials vs. without credentials? --- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/210#issuecomment-179397266
Received on Wednesday, 3 February 2016 18:42:10 UTC