W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Re: CORS performance proposal

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 19 Feb 2015 12:22:20 -0800
Message-ID: <CA+c2ei92J8_A37n5=JM7vq-ufHY3-m-VKP12QSFKUVHWDcFczg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
Would this be allowed for both requests with credentials and requests
without credentials? The security implications of the two are very
different.

/ Jonas

On Thu, Feb 19, 2015 at 5:29 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> When the user agent is about to make its first preflight to an origin
> (timeout up to the user agent), it first makes a preflight that looks
> like:
>
>   OPTIONS *
>   Access-Control-Request-Origin-Wide-Cache: [origin]
>   Access-Control-Request-Method: *
>   Access-Control-Request-Headers: *
>
> If the response is
>
>   2xx XX
>   Access-Control-Allow-Origin-Wide-Cache: [origin]
>   Access-Control-Allow-Methods: *
>   Access-Control-Allow-Headers: *
>   Access-Control-Max-Age: [max-age]
>
> then no more preflights will be made for the duration of [max-age] (or
> shortened per user agent preference). If the response includes
>
>   Access-Control-Allow-Credentials: true
>
> the cache scope is increased to requests that include credentials.
>
> I think this has a reasonable tradeoff between security and opening up
> all the power of the HTTP APIs on the server without the performance
> hit. It still makes the developer very conscious about the various
> features involved.
>
> The cache would be on a per requesting origin basis as per the headers
> above. The Origin and Access-Control-Allow-Origin would not take part
> in this exchange, to make it very clear what this is about.
>
> (This does not affect Access-Control-Expose-Headers or any of the
> other headers required as part of non-preflight responses.)
>
>
> --
> https://annevankesteren.nl/
>
Received on Thursday, 19 February 2015 20:23:19 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:25 UTC