W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Re: CORS performance proposal

From: Dale Harvey <dale@arandomurl.com>
Date: Thu, 19 Feb 2015 14:03:29 +0000
Message-ID: <CAD2UGCU0wosLH3EoWXuB_DhcVZmbzAAqJ24c+NPncemVBo_Avg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
> The cache would be on a per requesting origin basis as per the headers
> above. The Origin and Access-Control-Allow-Origin would not take part
> in this exchange, to make it very clear what this is about.

I dont want to conflate what could be seperate proposals, but they seem
closely related, this would improve the situation for easing the number of
preflight requests to be made, however still requires servers to follow
what is a fairly complicated process of setting up the appropriate headers

What if we allowed one of the response fields to denote this url is on the
public internet, please dont bother with cors restrictions. This means the
process of setting up cors could be to ensure a single response returns
with the appropriate headers and servers no longer need to worry about
every possible headers clients can send to each particular url.

(Clients would have to set a custom header to ensure the preflight
optimisation was skipped I believe)

This would be very much in line with how it was implemented for flash -
http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html


On 19 February 2015 at 13:29, Anne van Kesteren <annevk@annevk.nl> wrote:

> When the user agent is about to make its first preflight to an origin
> (timeout up to the user agent), it first makes a preflight that looks
> like:
>
>   OPTIONS *
>   Access-Control-Request-Origin-Wide-Cache: [origin]
>   Access-Control-Request-Method: *
>   Access-Control-Request-Headers: *
>
> If the response is
>
>   2xx XX
>   Access-Control-Allow-Origin-Wide-Cache: [origin]
>   Access-Control-Allow-Methods: *
>   Access-Control-Allow-Headers: *
>   Access-Control-Max-Age: [max-age]
>
> then no more preflights will be made for the duration of [max-age] (or
> shortened per user agent preference). If the response includes
>
>   Access-Control-Allow-Credentials: true
>
> the cache scope is increased to requests that include credentials.
>
> I think this has a reasonable tradeoff between security and opening up
> all the power of the HTTP APIs on the server without the performance
> hit. It still makes the developer very conscious about the various
> features involved.
>
> The cache would be on a per requesting origin basis as per the headers
> above. The Origin and Access-Control-Allow-Origin would not take part
> in this exchange, to make it very clear what this is about.
>
> (This does not affect Access-Control-Expose-Headers or any of the
> other headers required as part of non-preflight responses.)
>
>
> --
> https://annevankesteren.nl/
>
>
Received on Thursday, 19 February 2015 14:04:01 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:25 UTC