W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CORS performance

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 19 Feb 2015 11:52:37 -0800
Message-ID: <CA+c2ei8piSPwZRt+h0oV35dVG5NVhP1anAVxTHrbtF2qf3pGPg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Dale Harvey <dale@arandomurl.com>, Brian Smith <brian@briansmith.org>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>
On Thu, Feb 19, 2015 at 3:30 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Thu, Feb 19, 2015 at 12:17 PM, Dale Harvey <dale@arandomurl.com> wrote:
>> With Couch / PouchDB we are working with an existing REST API wherein every
>> request is to a different url (which is unlikely to change), the performance
>> impact is significant since most of the time is used up by latency, the CORS
>> preflight request essentially double the time it takes to do anything
> Yeah, also, it should not be up to us how people design their HTTP
> APIs. Limiting HTTP in that way because it is hard to make CORS scale
> seems bad.
> I think we've been too conservative when introducing CORS. It's
> effectively protecting content behind a firewall,

...and content that uses user credentials like cookies.

/ Jonas
Received on Thursday, 19 February 2015 19:53:34 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC