Preflight printing can only be applied to a request, and not to the entire domain. I included the same question on the mailing list, and there were security issues. Here's the whole thread: http://lists.w3.org/Archives/Public/public-webapps/2012AprJun/0228.html
There are a few things to consider if you want to limit the number of pre-sales requests. First of all, note that WebKit / Blink-based browsers set a maximum preflight cache of 10 minutes:
https://github.com/WebKit/webkit/blob/master/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp https://chromium.googlesource.com/chromium/blink/+/master/Source/core/loader/CrossOriginPreflightResult .cpp
(I'm not sure if this is true for other browsers). Therefore, when you should always set the Access-Control-Max-Age header, the maximum value is 10 minutes.
Note that it is not possible to avoid pre-flight PUT / DELETE requests. Thus, updating / removing your API will require at least one pre-flight every 10 minutes.
In GET / POST, avoid custom headers, if at all possible, as they still trigger precursors. If your API returns JSON, note that Content-Type 'application / json' also starts preflight recording.
If you're willing to bend your API as "RESTful", there are a few more things you can try. One of them is to use Content-Type, which does not need pre-flight, for example "text / plain". Custom headers always trigger precursors, so if you have custom headers, you can move them to query parameters. As a last resort, you can use a protocol such as JSON-RPC, where all requests are sent to one endpoint.
Honestly, from outside the browser preflight cache of 10 minutes and REST resource URLs, the pre-flight control cache is pretty worthless. There is very little that can be done to limit preflouts during a long application. I hope that the authors of the CORS specification will try to solve this problem in the future.
monsur Aug 18 '12 at 20:25 2012-08-18 20:25
source share