Re: CORS performance from Dale Harvey on 2015-02-19 (public-webappsec@w3.org from February 2015)

From: Dale Harvey <dale@arandomurl.com>
Date: Thu, 19 Feb 2015 13:45:55 +0000
To: Brian Smith <brian@briansmith.org>
Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>, Jonas Sicking <jonas@sicking.cc>
Message-ID: <CAD2UGCX7Lfa5+4huQ5eYz3+MtYt83RzBPBURfurijCXdFUr99A@mail.gmail.com>
> If the cache is against the url, and we are sending requests to different
urls, wont
> requests to different urls always trigger a preflight?

I just realised my mistake, GETS without custom headers should need to
trigger preflight requests, sorry

On 19 February 2015 at 13:31, Dale Harvey <dale@arandomurl.com> wrote:

> Will take a look at the content-type on GET requests, thanks
>
> > I believe none of these require preflight unless a mistake is being
> > made (probably setting Content-Type on GET requests).
>
> http://www.w3.org/TR/cors/#preflight-result-cache-0
>
> If the cache is against the url, and we are sending requests to different
> urls, wont requests to different urls always trigger a preflight?
>
> > Also, regardless, you can use the CouchDB bulk document API to fetch
> > all these documents in one request, instead of 70,000 requests.
>
> CouchDB has no bulk document fetch api, it has all_docs but that isnt
> appropriate for this case, there is a talk about introducing it
> https://issues.apache.org/jira/browse/COUCHDB-2310, however its going to
> take a while (I would personally rather we replace it with a streaming api)
>
> > I agree that things can be improved here. I think the solution may be
> > better developer tools. In particular, devtools should tell you
> > exactly why a request triggered preflight.
>
> Whats wrong with 'This origin is part of the public internet and doesnt
> need any complications or restrictions due to CORS' ie Anne proposal?
>
>
> On 19 February 2015 at 13:21, Brian Smith <brian@briansmith.org> wrote:
>
>> On Thu, Feb 19, 2015 at 4:49 AM, Dale Harvey <dale@arandomurl.com> wrote:
>> >> so presumably it is OK to set the Content-Type to text/plain
>> >
>> > Thats not ok, but may explain my confusion, is Content-Type considered a
>> > Custom Header that will always trigger a preflight?
>>
>> To be clear, my comment was about POST requests to the bulk document
>> API, not about other requests.
>>
>> I ran your demo and observed the network traffic using Wireshark.
>> Indeed, OPTIONS requests are being sent for every GET. But, that is
>> because you are setting the Content-Type header field on your GET
>> requests. Since GET requests don't have a request body, you shouldn't
>> set the Content-Type header field on them. And, if you do, then
>> browsers will treat it as a custom header field. That is what forces
>> the preflight for those requests.
>>
>> Compare the network traffic for these two scripts:
>>
>>   <script>
>>     xhr=new XMLHttpRequest();
>>     xhr.open("GET",
>> "
>> http://skimdb.iriscouch.com/registry/_changes?timeout=25000&style=all_docs&since=209&limit=100&_nonce=xhGtdb3XqOaYCWh4
>> ",
>> true);
>>     xhr.setRequestHeader("Accept","application/json");
>>     xhr.setRequestHeader("Content-Type","application/json");
>>     xhr.send();
>>   </script>
>>
>>   <script>
>>     xhr=new XMLHttpRequest();
>>     xhr.open("GET",
>> "
>> http://skimdb.iriscouch.com/registry/_changes?timeout=25000&style=all_docs&since=209&limit=100&_nonce=xhGtdb3XqOaYCWh4
>> ",
>> true);
>>     xhr.setRequestHeader("Accept","application/json");
>>     xhr.send();
>>   </script>
>>
>> They are the same, except the second one doesn't set the Content-Type
>> header, and thus it doesn't cause the preflight to be sent.
>>
>> > if so then none of the
>> > caching will apply, CouchDB requires sending the appropriate
>> content-type
>>
>> CouchDB may require sending "Accept: application/json", but that isn't
>> considered a custom header field, so it doesn't trigger preflight.
>>
>> > The /_changes requests are only part of the problem, once we receive the
>> > changes information we then have to request information about individual
>> > documents which all have a unique id
>> >
>> >   GET /registry/mypackagename
>> >
>> > We do one of those per document (70,000 npm docs), all trigger a
>> preflight
>> > (whether or not custom headers are involved)
>>
>> I believe none of these require preflight unless a mistake is being
>> made (probably setting Content-Type on GET requests).
>>
>> Also, regardless, you can use the CouchDB bulk document API to fetch
>> all these documents in one request, instead of 70,000 requests.
>>
>> > Also performance details aside every week somebody has a library or
>> proxy
>> > that sends some custom header or they just missed a step when
>> configuring
>> > CORS, its a constant source of confusion for our users. We try to get
>> around
>> > it by providing helper scripts but Anne's proposal mirroring flashes
>> cross
>> > domain.xml sounds vastly superior to the current implementation from the
>> > developers perspective.
>>
>> I agree that things can be improved here. I think the solution may be
>> better developer tools. In particular, devtools should tell you
>> exactly why a request triggered preflight.
>>
>> Cheers,
>> Brian
>>
>
>
Received on Thursday, 19 February 2015 13:46:24 UTC