W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CORS performance

From: Brian Smith <brian@briansmith.org>
Date: Thu, 19 Feb 2015 02:50:12 -0800
Message-ID: <CAFewVt4Cj0f3xxQG4ThDXh=0EVivL7bkZd7hPWfDdFPviAdDEQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>, Jonas Sicking <jonas@sicking.cc>, Dale Harvey <dale@arandomurl.com>
On Thu, Feb 19, 2015 at 2:45 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Thu, Feb 19, 2015 at 11:43 AM, Brian Smith <brian@briansmith.org> wrote:
>> 1. Preflight is only necessary for a subset of CORS requests.
>> Preflight is never done for GET or HEAD, and you can avoid preflight
>> for POST requests by making your API accept data in a format that
>> matches what HTML forms post. Therefore, we're only talking about PUT,
>> DELETE, less common forms of POST, and other less commonly-used
>> methods.
> Euh, if you completely ignore headers, sure. But most HTTP APIs will
> use some amount of custom headers, meaning *all* methods require a
> preflight.

Is it really true that most HTTP APIs will sue some amount of custom
headers? And, is is it necessary for these APIs to be designed such
that the custom headers are required?

Received on Thursday, 19 February 2015 10:50:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC