Re: CORS performance from Dale Harvey on 2015-02-19 (public-webappsec@w3.org from February 2015)

From: Dale Harvey <dale@arandomurl.com>
Date: Thu, 19 Feb 2015 11:17:07 +0000
To: Brian Smith <brian@briansmith.org>
Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>, Jonas Sicking <jonas@sicking.cc>
Message-ID: <CAD2UGCWciC1+1LmmR4390fZ=4ybW1u8mX-AaNvgYCQ15di1zdA@mail.gmail.com>

With Couch / PouchDB we are working with an existing REST API wherein every
request is to a different url (which is unlikely to change), the
performance impact is significant since most of the time is used up by
latency, the CORS preflight request essentially double the time it takes to
do anything

On 19 February 2015 at 10:50, Brian Smith <brian@briansmith.org> wrote:

> On Thu, Feb 19, 2015 at 2:45 AM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
> > On Thu, Feb 19, 2015 at 11:43 AM, Brian Smith <brian@briansmith.org>
> wrote:
> >> 1. Preflight is only necessary for a subset of CORS requests.
> >> Preflight is never done for GET or HEAD, and you can avoid preflight
> >> for POST requests by making your API accept data in a format that
> >> matches what HTML forms post. Therefore, we're only talking about PUT,
> >> DELETE, less common forms of POST, and other less commonly-used
> >> methods.
> >
> > Euh, if you completely ignore headers, sure. But most HTTP APIs will
> > use some amount of custom headers, meaning *all* methods require a
> > preflight.
>
> Is it really true that most HTTP APIs will sue some amount of custom
> headers? And, is is it necessary for these APIs to be designed such
> that the custom headers are required?
>
> Cheers,
> Brian
>

Received on Thursday, 19 February 2015 11:17:37 UTC