- From: Dale Harvey <dale@arandomurl.com>
- Date: Thu, 19 Feb 2015 14:03:29 +0000
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
- Message-ID: <CAD2UGCU0wosLH3EoWXuB_DhcVZmbzAAqJ24c+NPncemVBo_Avg@mail.gmail.com>
> The cache would be on a per requesting origin basis as per the headers > above. The Origin and Access-Control-Allow-Origin would not take part > in this exchange, to make it very clear what this is about. I dont want to conflate what could be seperate proposals, but they seem closely related, this would improve the situation for easing the number of preflight requests to be made, however still requires servers to follow what is a fairly complicated process of setting up the appropriate headers What if we allowed one of the response fields to denote this url is on the public internet, please dont bother with cors restrictions. This means the process of setting up cors could be to ensure a single response returns with the appropriate headers and servers no longer need to worry about every possible headers clients can send to each particular url. (Clients would have to set a custom header to ensure the preflight optimisation was skipped I believe) This would be very much in line with how it was implemented for flash - http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html On 19 February 2015 at 13:29, Anne van Kesteren <annevk@annevk.nl> wrote: > When the user agent is about to make its first preflight to an origin > (timeout up to the user agent), it first makes a preflight that looks > like: > > OPTIONS * > Access-Control-Request-Origin-Wide-Cache: [origin] > Access-Control-Request-Method: * > Access-Control-Request-Headers: * > > If the response is > > 2xx XX > Access-Control-Allow-Origin-Wide-Cache: [origin] > Access-Control-Allow-Methods: * > Access-Control-Allow-Headers: * > Access-Control-Max-Age: [max-age] > > then no more preflights will be made for the duration of [max-age] (or > shortened per user agent preference). If the response includes > > Access-Control-Allow-Credentials: true > > the cache scope is increased to requests that include credentials. > > I think this has a reasonable tradeoff between security and opening up > all the power of the HTTP APIs on the server without the performance > hit. It still makes the developer very conscious about the various > features involved. > > The cache would be on a per requesting origin basis as per the headers > above. The Origin and Access-Control-Allow-Origin would not take part > in this exchange, to make it very clear what this is about. > > (This does not affect Access-Control-Expose-Headers or any of the > other headers required as part of non-preflight responses.) > > > -- > https://annevankesteren.nl/ > >
Received on Thursday, 19 February 2015 14:04:02 UTC