- From: roryhewitt <notifications@github.com>
- Date: Fri, 10 Jun 2016 09:02:12 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc:
- Message-ID: <whatwg/fetch/issues/210/225223742@github.com>
Hmmm. OK, just thinking out loud... Whilst I do like the idea of utilizing the `/.well-known/` directory in the way that @mnot and others have suggested, it seems to me to be less 'intuitive' than using something like `Access-Control-Allow-Paths: /api/*, /other/*`. Of course, as has been discussed above, using the well-known location may make it easier to implement functionality other than just CORS, such as upgrade-insecure-policy. I guess my feeling is that given that CORS is currently 'transparent' (the headers _themselves_ indicate which methods/headers/origins are allowed), moving to a separate 'opaque' system, where this information is held in a file which is referenced in the header just feels wrong in some way. It may be 'better', but it feels like it's less backwards-compatible, and it's going to require another set of skills by developers. Additionally, it may have flexibility issues in an organization where different teams control API development and the web server itself. However, whichever system is used, I don't think that the issue with differently formatted paths (the IIS canonicalization bug) needs to be a deal-breaker, as long as the browser processing explicitly only allows 'full' paths - IOW, a value of `Access-Control-Allow-Paths: /api/,/api/goodapi/*` allows **only** requests to a resource which is directly in the /api/ directory (but no subdirectories) or which is in the /api/goodapi/ directory or one of its sub-directories. For instance, if, given the above OPTIONS repsonse header, if I subsequently get a POST like this: www.example.com/api/..\process.cgi even though the UA has cached `/api/` as a valid path, is it able to determine that the cached entry may not apply, and that therefore another preflight request should be made? Since such a header (or a manifest in `/.well-known/`) will in theory be sent only once per browsing session, size isn't hugely important, is it? --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/210#issuecomment-225223742
Received on Friday, 10 June 2016 16:02:59 UTC