Re: [CORS] Applying preflight cache to an entire domain? from Monsur Hossain on 2012-04-18 (public-webapps@w3.org from April to June 2012)

From: Monsur Hossain <monsur@gmail.com>
Date: Wed, 18 Apr 2012 11:34:42 -0500
To: Anne van Kesteren <annevk@opera.com>
Cc: public-webapps@w3.org
Message-ID: <CAKSyWQkqzRaQwWzh5GApFiQhHCp29akcboTyQH5pWG3iGZm0pQ@mail.gmail.com>

Ah thank you! I agree that url canonicalization is a difficult issue to
solve. FWIW, I was envisioning something much simpler. The CORS spec makes
it clear that cache lookup should be done by origin and request url. So
instead of specifying a url to this Access-Control-Policy-Path header, it
would be just one of three values:

   - "url" - (default behavior) Cache lookup is done by origin and request
   url, as the spec indicates now
   - "origin" - Cache lookup is done by origin only. Preflight response
   applies to any request from this origin.
   - "any" - Cache lookup applies to *any* origin making requests to the
   domain.

This would fit in with the current preflight caching model while still
allowing some flexibility to servers implementing CORS.

Thanks,
Monsur


On Wed, Apr 18, 2012 at 7:16 AM, Anne van Kesteren <annevk@opera.com> wrote:

> On Tue, 17 Apr 2012 23:35:16 +0200, Monsur Hossain <monsur@gmail.com>
> wrote:
>
>> Hi there. The CORS spec currently indicates that the preflight cache
>> should
>> store preflight responses for a particular origin/request url pair. That
>> means that multiple requests to different urls on the same domain will
>> always trigger a preflight, even if the preflight response is exactly the
>> same for those urls. If a server only accepts a set of well defined http
>> methods and http headers, then issuing the preflight on different requests
>> is redundant.
>>
>> I was wondering if there could be a way for the server to indicate what
>> scope the preflight applies to? For example, the default could still be
>> to cache per origin/request-url, but maybe the server could set a special
>> "Access-Control-Max-Age-Scope: domain" response header to indicate that
>> the preflight response can be used for any request to the domain. Has
>> anything like this been considered?
>>
>
> Yes.
>
> http://lists.w3.org/Archives/**Public/public-appformats/**
> 2008May/0039.html<http://lists.w3.org/Archives/Public/public-appformats/2008May/0039.html>
>
>
> --
> Anne van Kesteren
> http://annevankesteren.nl/
>

Received on Wednesday, 18 April 2012 16:35:16 UTC