如何将 CORS 预检缓存应用于整个域 [英] How to apply CORS preflight cache to an entire domain

问题描述

我正在构建一个使用 CORS 的 REST 应用程序.每个 REST 调用都是不同的，我发现在获取预检 OPTIONS 调用时有很大的开销.有没有办法缓存和应用预检 OPTIONS 结果，以便对同一域的任何后续调用都使用缓存的响应?

I am building a REST application that makes use of CORS. Every REST call is different and I am finding that there is significant overhead in getting the preflight OPTIONS call. Is there a way to cache and apply a preflight OPTIONS result so that any subsequent calls to the same domain use the cached response?

推荐答案

预检只能应用于请求，不能应用于整个域.我在邮件列表中提出了同样的问题，并且存在安全问题.这是整个线程:http://lists.w3.org/Archives/Public/public-webapps/2012AprJun/0228.html

Preflight can only be applied to the request, not to the entire domain. I brought the same question up on the mailing list, and there were security concerns. Here's the entire thread: http://lists.w3.org/Archives/Public/public-webapps/2012AprJun/0228.html

如果您想限制预检请求的数量，需要考虑一些事项.首先请注意，基于 WebKit/Blink 的浏览器将最大预检缓存设置为 10 分钟:

There are a few things to consider if you'd like to limit the number of preflight requests. First note that WebKit/Blink based browsers set a max preflight cache of 10 minutes:

https://github.com/WebKit/webkit/blob/master/Source/WebCore/loader/CrossOriginPreflightResultCache.cpphttps://chromium.googlesource.com/chromium/blink/+/master/Source/core/loader/CrossOriginPreflightResultCache.cpp

(我不确定这是否适用于其他浏览器).因此，虽然您应该始终设置 Access-Control-Max-Age 标头，但最大值为 10 分钟.

(I'm not sure if this is true for other browsers). So while you should always set the Access-Control-Max-Age header, the max value is 10 minutes.

接下来请注意，无法避免对 PUT/DELETE 请求进行预检.因此，更新/删除 API 至少需要每 10 分钟进行一次预检.

Next note that it is impossible to avoid a preflight on PUT/DELETE requests. So updates/deletes to your API will require at least one preflight every 10 minutes.

在 GET/POST 上，尽可能避免使用自定义标头，因为它们仍会触发预检.如果您的 API 返回 JSON，请注意application/json"的 Content-Type 也会触发预检.

On GET/POST, avoid custom headers if at all possible, since these still trigger preflights. If your API returns JSON, note that a Content-Type of 'application/json' also triggers a preflight.

如果您愿意改变您的 API 的RESTful"程度，您可以尝试其他一些方法.一种是使用不需要预检的 Content-Type，例如text/plain".自定义标头始终触发预检，因此如果您有任何自定义标头，您可以将它们移动到查询参数中.在极端情况下，您可以使用 JSON-RPC 之类的协议，其中所有请求都发送到单个端点.

If you are willing to bend just how "RESTful" your API is, there are a few more things you can try. One is to use a Content-Type that doesn't need a preflight, like 'text/plain'. Custom headers always trigger preflights, so if you have any custom headers, you could move them into query parameters. At the extreme end, you could use a protocol like JSON-RPC, where all requests are made to a single endpoint.

老实说，由于浏览器的 10 分钟预检缓存限制和 REST 的资源 url，预检缓存相当无用.在长时间运行的应用程序过程中，您几乎无法限制预检.我希望 CORS 规范的作者将来会尝试解决这个问题.

In all honesty, because of the browser's preflight cache limit of 10 minutes, and REST's resource urls, the preflight cache is fairly useless. There's very little you can do to limit preflights over the course of a long running app. I'm hopeful the authors of the CORS spec will try to address this in the future.

这篇关于如何将 CORS 预检缓存应用于整个域的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！