Re: CORS and Caching (in reverse proxies / CDNs) from Monsur Hossain on 2014-04-30 (public-webappsec@w3.org from April 2014)

From: Monsur Hossain <monsur@gmail.com>
Date: Wed, 30 Apr 2014 11:06:48 -0500
To: Nils Goroll <slink@schokola.de>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKSyWQ=UH7YkcLW5VATD7_ni-9y_g-1m5GMjVXpSMoOHTj6mxA@mail.gmail.com>

On Mon, Apr 28, 2014 at 9:43 AM, Nils Goroll <slink@schokola.de> wrote:

> Hi,
>
> working on the Varnish / CDN configurations of some reasonably large web
> sites,
> I wondered why, even for one of the simplest use cases, CORS is
> unnecessarily
> cache-unfriendly.
>
> Ref: http://www.w3.org/TR/cors/#resource-implementation
>
> Please consider the simple case of a web font
> http://static.do.main/font.woff
> which, for licensing reasons, is to be shared with a set of specific
> origins
> only, so using 'Access-Control-Allow-Origin: *' is not an option.
>
> As it stands, the spec demands to generate one cache object per origin,
> despite
> the fact that the actual object (http body) is bit equivalent for all
> copies.
>
> I wonder if the CORS model could be made more cache-friendly by reducing
> the
> number of cases where "Vary: Origin" is required. From the perspective of
> the
> use case discussed here, it would be sufficient to allow for
>
> - simple patterns in Access-Control-Allow-Origin
> - allowing for multiple Values in Access-Control-Allow-Origin
>

I see this question come up a lot, either for multi-origin support in the
ACAO header, regex support in either the ACAO and/or ACAH headers, or
confusion over why the * value doesn't work in the ACAH header. If it won't
be supported, it'd be useful for the spec to explicitly state why not, to
avoid this confusion in the future.

However, I think this would be a useful feature, and would help make the
preflight cache more relevant. Server authors are already writing this type
of logic, they just put it in their server code. And then they curse at why
adding CORS support can't be as easy as updating a web.config or .htaccess
file. All existing CORS implementations would continue working, the worse
that would happen is that older user-agents would reject newer requests
(e.g. an older user-agent would do a string comparison between http://*.
example.com and http://www.example.com and reject the request). As a server
author, you'd have to decide whether supporting the "new CORS" format is
worth it, which is the same decision server authors had to make when
supporting CORS in the first place.

Thanks,
Monsur

>
> such as
>
>         Access-Control-Allow-Origin: http://*.do.main,
> https://partner.site,
> xmpp://future.extension
>
> I have not yet made any attempt to address the question of cache
> friendliness on
> a broader perspective of CORS.
>
> I'd appreciate pointers if this issue had been discussed before, as I have
> failed to find any previous discussion in the list archives.
>
> Thank you, Nils
>
>
>

Received on Wednesday, 30 April 2014 16:07:19 UTC