Re: CORS performance from Anne van Kesteren on 2015-02-19 (public-webappsec@w3.org from February 2015)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 19 Feb 2015 11:45:03 +0100
To: Brian Smith <brian@briansmith.org>
Cc: WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>, Jonas Sicking <jonas@sicking.cc>, Dale Harvey <dale@arandomurl.com>
Message-ID: <CADnb78hbSXuK+RpdE6qT0E2+o_9836Lqccc0irJg6r0hOupznA@mail.gmail.com>

On Thu, Feb 19, 2015 at 11:43 AM, Brian Smith <brian@briansmith.org> wrote:
> 1. Preflight is only necessary for a subset of CORS requests.
> Preflight is never done for GET or HEAD, and you can avoid preflight
> for POST requests by making your API accept data in a format that
> matches what HTML forms post. Therefore, we're only talking about PUT,
> DELETE, less common forms of POST, and other less commonly-used
> methods.

Euh, if you completely ignore headers, sure. But most HTTP APIs will
use some amount of custom headers, meaning *all* methods require a
preflight.


-- 
https://annevankesteren.nl/

Received on Thursday, 19 February 2015 10:45:29 UTC