When the user agent is about to make its first preflight to an origin
(timeout up to the user agent), it first makes a preflight that looks

  Access-Control-Request-Origin-Wide-Cache: [origin]
  Access-Control-Request-Method: *
  Access-Control-Request-Headers: *

If the response is

  2xx XX
  Access-Control-Allow-Origin-Wide-Cache: [origin]
  Access-Control-Allow-Methods: *
  Access-Control-Allow-Headers: *
  Access-Control-Max-Age: [max-age]

then no more preflights will be made for the duration of [max-age] (or
shortened per user agent preference). If the response includes

  Access-Control-Allow-Credentials: true

the cache scope is increased to requests that include credentials.

I think this has a reasonable tradeoff between security and opening up
all the power of the HTTP APIs on the server without the performance
hit. It still makes the developer very conscious about the various
features involved.

The cache would be on a per requesting origin basis as per the headers
above. The Origin and Access-Control-Allow-Origin would not take part
in this exchange, to make it very clear what this is about.

(This does not affect Access-Control-Expose-Headers or any of the
other headers required as part of non-preflight responses.)


Reply via email to