W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CORS performance

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 19 Feb 2015 11:49:01 +0100
Message-ID: <CADnb78j3TZ85Ck=zVbw+rAhzjmyqbwJNkwUhMOgcDfRZV=PUHA@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>, Jonas Sicking <jonas@sicking.cc>, Dale Harvey <dale@arandomurl.com>
On Thu, Feb 19, 2015 at 11:45 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Thu, Feb 19, 2015 at 11:43 AM, Brian Smith <brian@briansmith.org> wrote:
>> 1. Preflight is only necessary for a subset of CORS requests.
>> Preflight is never done for GET or HEAD, and you can avoid preflight
>> for POST requests by making your API accept data in a format that
>> matches what HTML forms post. Therefore, we're only talking about PUT,
>> DELETE, less common forms of POST, and other less commonly-used
>> methods.
> Euh, if you completely ignore headers, sure. But most HTTP APIs will
> use some amount of custom headers, meaning *all* methods require a
> preflight.

And you seem to forget that an HTTP API typically covers a large set
of URLs (e.g. if you use remote database such as PouchDB). With CORS
that requires at least one preflight per URL.

Received on Thursday, 19 February 2015 10:49:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC