[whatwg/fetch] Cache-Friendly Access-Control-Allow-Origin (#890) from Nils Goroll on 2019-04-03 (public-webapps-github@w3.org from April 2019)

From: Nils Goroll <notifications@github.com>
Date: Wed, 03 Apr 2019 08:25:31 +0000 (UTC)
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/890@github.com>

The CORS response header [`Access-Control-Allow-Origin`](https://github.com/whatwg/fetch/blob/master/review-drafts/2018-06.bs#L2109) currently only allows two possible values, the wildcard `*` or the Value of the `Origin` request header.
If more than one `Origin` is allowed, a `Vary: Origin` response header is required for interoperability with caching intermediaries downstream and the client cache.
Consequently, caches will need to maintain one copy of the respective object for each possible Origin value. Note this will also multiply the body even if the only thing varying across objects is `Access-Control-Allow-Origin`. Cache multiplication implies storage overhead and lower hit rates, and, consequently, worse latencies.
To avoid the cache multiplication, the only option known to me is custom logic at the edge.

To solve this issue, the value of the `Access-Control-Allow-Origin` response header would need to support multiple values, possibly allowing some pattern or other means to span multiple authorities.

Ideas:
* `samesite`:_domain_ : Any authority below _domain_ with the same scheme and any port
* _scheme_`://`_pattern_  :  _pattern_ could be a simple pattern similar to [glob patterns](https://en.wikipedia.org/wiki/Glob_%28programming%29) with wildcards not including the dot `.`

Whatever extensions are added to individual components of `Access-Control-Allow-Origin`, a list of allowed origins or patterns would be required.

Example:

```
Access-Control-Allow-Origin: samesite:example.com, https://*.sub.bar.com:8443, http://bar.com
```

I do not cover the question of the upgrade path in here, but something along the lines of the one laid out in [origin-policy](https://github.com/WICG/origin-policy) or [this old post](https://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0062.html) should work.

Thank you for @annevk and @yoavweiss for the discussion during the http workshop 2019 and the samesite idea

Old reference:
https://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0060.html

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/890

Received on Wednesday, 3 April 2019 08:26:00 UTC