Re: CORS performance

On Thu, Feb 19, 2015 at 2:45 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Thu, Feb 19, 2015 at 11:43 AM, Brian Smith <brian@briansmith.org> wrote:
>> 1. Preflight is only necessary for a subset of CORS requests.
>> Preflight is never done for GET or HEAD, and you can avoid preflight
>> for POST requests by making your API accept data in a format that
>> matches what HTML forms post. Therefore, we're only talking about PUT,
>> DELETE, less common forms of POST, and other less commonly-used
>> methods.
>
> Euh, if you completely ignore headers, sure. But most HTTP APIs will
> use some amount of custom headers, meaning *all* methods require a
> preflight.

Is it really true that most HTTP APIs will sue some amount of custom
headers? And, is is it necessary for these APIs to be designed such
that the custom headers are required?

Cheers,
Brian

Received on Thursday, 19 February 2015 10:50:39 UTC