如何将CORS预检缓存应用于整个域 [英] How to apply CORS preflight cache to an entire domain

问题描述

我正在构建一个使用CORS的REST应用程序。每个REST调用都不同，我发现在获得预检OPTIONS调用时有很大的开销。有没有办法缓存和应用预检OPTIONS结果，以便任何后续调用到同一个域使用缓存的响应？

I am building a REST application that makes use of CORS. Every REST call is different and I am finding that there is significant overhead in getting the preflight OPTIONS call. Is there a way to cache and apply a preflight OPTIONS result so that any subsequent calls to the same domain use the cached response?

推荐答案

预检只能应用于请求，而不能应用于整个域。我在邮件列表上提出了同样的问题，有安全问题。这里是整个主题： http://lists.w3.org/Archives/Public/public -webapps / 2012AprJun / 0228.html

Preflight can only be applied to the request, not to the entire domain. I brought the same question up on the mailing list, and there were security concerns. Here's the entire thread: http://lists.w3.org/Archives/Public/public-webapps/2012AprJun/0228.html

如果您想要限制预检请求数，请考虑以下几点。首先请注意，基于WebKit / Blink的浏览器设置10分钟的最大预检缓存：

There are a few things to consider if you'd like to limit the number of preflight requests. First note that WebKit/Blink based browsers set a max preflight cache of 10 minutes:

https://github.com/WebKit/webkit/blob/master/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp
https://chromium.googlesource.com/chromium/blink/+/master/Source /core/loader/CrossOriginPreflightResultCache.cpp

（我不知道这是否适用于其他浏览器）。因此，虽然您应该始终设置Access-Control-Max-Age头，但最大值为10分钟。

(I'm not sure if this is true for other browsers). So while you should always set the Access-Control-Max-Age header, the max value is 10 minutes.

接下来请注意， / DELETE请求。因此，更新/删除您的API将需要每10分钟至少一次预检。

Next note that it is impossible to avoid a preflight on PUT/DELETE requests. So updates/deletes to your API will require at least one preflight every 10 minutes.

在GET / POST，避免自定义标题，如果可能，因为这些仍然触发preflights 。如果您的API返回JSON，请注意application / json的Content-Type也会触发预检。

On GET/POST, avoid custom headers if at all possible, since these still trigger preflights. If your API returns JSON, note that a Content-Type of 'application/json' also triggers a preflight.

如果您愿意弯曲RESTful API是，还有一些你可以试试的东西。一种是使用不需要预检的Content-Type，例如'text / plain'。自定义标头始终触发预曝光，因此如果您有任何自定义标头，则可以将其移到查询参数中。在极端，你可以使用像JSON-RPC这样的协议，其中所有请求都发送到单个端点。

If you are willing to bend just how "RESTful" your API is, there are a few more things you can try. One is to use a Content-Type that doesn't need a preflight, like 'text/plain'. Custom headers always trigger preflights, so if you have any custom headers, you could move them into query parameters. At the extreme end, you could use a protocol like JSON-RPC, where all requests are made to a single endpoint.

总之，因为浏览器的预检缓存限制10分钟，和REST的资源URL，预检缓存是相当无用的。在长时间运行的应用程序的过程中，你可以做很少的限制preflights。我希望CORS规范的作者将尝试在未来解决这个问题。

In all honesty, because of the browser's preflight cache limit of 10 minutes, and REST's resource urls, the preflight cache is fairly useless. There's very little you can do to limit preflights over the course of a long running app. I'm hopeful the authors of the CORS spec will try to address this in the future.

这篇关于如何将CORS预检缓存应用于整个域的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！