- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 19 Feb 2015 11:49:01 +0100
- To: Brian Smith <brian@briansmith.org>
- Cc: WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>, Jonas Sicking <jonas@sicking.cc>, Dale Harvey <dale@arandomurl.com>
On Thu, Feb 19, 2015 at 11:45 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Thu, Feb 19, 2015 at 11:43 AM, Brian Smith <brian@briansmith.org> wrote: >> 1. Preflight is only necessary for a subset of CORS requests. >> Preflight is never done for GET or HEAD, and you can avoid preflight >> for POST requests by making your API accept data in a format that >> matches what HTML forms post. Therefore, we're only talking about PUT, >> DELETE, less common forms of POST, and other less commonly-used >> methods. > > Euh, if you completely ignore headers, sure. But most HTTP APIs will > use some amount of custom headers, meaning *all* methods require a > preflight. And you seem to forget that an HTTP API typically covers a large set of URLs (e.g. if you use remote database such as PouchDB). With CORS that requires at least one preflight per URL. -- https://annevankesteren.nl/
Received on Thursday, 19 February 2015 10:49:24 UTC