Cache your CORS

417 点作者 aloukissas超过 2 年前

17 条评论

cakoose超过 2 年前

Unfortunately this caching is still per-path. For example:<pre><code> GET /v1/document/{document-id}/comments/{comment-id} </code></pre> For every new document-id or comment-id, there will be a new pre-flight request.Alternative hacks: Offer a variant of your API format that either1. Moves the resource path to the request body (or to a header that is included in "Vary"). Though the rest of your stack (load balancing, observability, redaction) might not be ok with this, e.g. do your WAF rules support matching on the request body? You also will no longer get automatic path-based caching for GET requests.2. Conforms to the rules of a CORS "simple" request [1], which won't trigger a pre-flight request. This is what we did on the Dropbox API [2]. You'll need to move the auth information from the Authorization header to a query parameter or the body, which can be dangerous wrt redaction, e.g. many tools automatically redact the Authorization header but not query parameters.[1] <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests" rel="nofollow">https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simpl...</a>[2] <a href="https://www.dropbox.com/developers/documentation/http/documentation" rel="nofollow">https://www.dropbox.com/developers/documentation/http/docume...</a> (see "Browser-based JavaScript and CORS pre-flight requests")

评论 #32909180 未加载

评论 #32909056 未加载

评论 #32909531 未加载

评论 #32914135 未加载

评论 #32910815 未加载

评论 #32909621 未加载

bluepnume超过 2 年前

I built fetch-robot (<a href="https://github.com/krakenjs/fetch-robot" rel="nofollow">https://github.com/krakenjs/fetch-robot</a>) to avoid dealing with CORS preflight requests. And the associated maze of request and response headers you need to use to negotiate in the preflight.

评论 #32908276 未加载

评论 #32908237 未加载

pimterry超过 2 年前

Hey, I'm the author of this post, thanks for sharing it @aloukissas!I've also built a tiny "just tell me what to do" SPA for debugging your CORS configurations that everybody reading this might find useful too: <a href="https://httptoolkit.tech/will-it-cors/" rel="nofollow">https://httptoolkit.tech/will-it-cors/</a>

s-xyz超过 2 年前

Sorry I am not an expert, but just wanted to raise that I recall that in our firm we had to disable CORS caching a while back, as this was non compliant with some security standards. I think it had to do with this: <a href="https://vulncat.fortify.com/en/detail?id=desc.dynamic.html.html5_cors_prolonged_caching_of_preflight_response" rel="nofollow">https://vulncat.fortify.com/en/detail?id=desc.dynamic.html.h...</a>

评论 #32908438 未加载

colinclerk超过 2 年前

> In practice, almost all cross-origin API requests will require these preflight requests, notably includingAt Clerk, we took the opposite approach, and restructured our API so it fits within the narrow window that does not require a preflightI wrote a little about it here: <a href="https://clerk.dev/blog/skip-cors-options-preflight" rel="nofollow">https://clerk.dev/blog/skip-cors-options-preflight</a>

ShinTakuya超过 2 年前

Very good and important advice, would advise caution when implementing this though - consider a shorter period when you make changes to CORS headers so that if you make a mistake you don't accidentally cut off your frontend for 24 hrs. I guess you could hack your way around it in an emergency but it'd still be painful.

评论 #32907865 未加载

评论 #32908243 未加载

harry1989超过 2 年前

Excellent suggestion.These days chrome hides the preflight requests by default and you miss to notice the latency added for each of those CORS calls.Also we don't deal with CORS unless it's an external plugin that we include in our site. Earlier we had subdomains like api..com, static..com to parallelize network requests which required CORS to be setup. With H2 we got rid of all of them and load everything from a single domain. This reduced the CORS surface area.

评论 #32908778 未加载

zemnmez超过 2 年前

Access-Control-Max-Age has, unfortunately a big security caveat which is that it is cached on a per-endpoint basis. Because Access-Control-Allow-Origin only allows one origin specification, if you previously used the Origin header to determine who could access the API, your next API requestor will effectively get your last response.For example, to allow abc.com AND bcd.com, you could check Origin and if correct return Access-Control-Allow-Origin: *. In this case, setting Access-Control-Max-Age will mean this applies to any site* after a single successful request. If you return the site's name, this will break CORS* for that amount of time if an attacker makes a single request to it.

评论 #32909488 未加载

chrisweekly超过 2 年前

I'm a big fan of "BFF" (Backend For Frontend), which among other benefits, sidesteps CORS altogether. See eg <a href="https://remix.run/docs/en/v1/guides/bff" rel="nofollow">https://remix.run/docs/en/v1/guides/bff</a>

coding123超过 2 年前

Damn, I am kinda surprised we don't have this enabled on our site. Thanks for dropping this tonight.

评论 #32907850 未加载

kareemsabri超过 2 年前

We just use a path prefix and a reverse proxy to save the pre-flight request altogether.

评论 #32908941 未加载

评论 #32909283 未加载

yonran超过 2 年前

This is a good practical article. One minor clarification:> cross-origin API requests will require these preflight requests, notably including: … Any request including credentialsNo, setting XMLHttpRequest’s withCredentials:true and fetch’s credentials:"include" to send the user’s Cookie with the request does not imply that a preflight request must be made, since <script> and <form> sent the Cookie with cross-site requests (back in the CSRF days when the default Cookie SameSite flag was effectively SameSite=None). Maybe he was referring to a custom header such as Authorization, which does trigger prefetch.

langsoul-com超过 2 年前

I hate cors, the biggest pain in the ass I have to constantly deal with.

hugobauer超过 2 年前

Doesn't moving the API from the subdomain to the /api path on the same subdomain as the website solve the problem?

评论 #32909272 未加载

pantulis超过 2 年前

A quick hack is to cache OPTIONS in Varnish.

AtNightWeCode超过 2 年前

Wow, thank you, never heard about this before. I really hope this is not entirely correct but I will check our sites for sure. If options requests often bypass the edge servers some of the services we use are way better than expected.

unwind超过 2 年前

CORS = Cross-Origin Resource Sharing.There, that wasn't so hard, was it? I assume this is written for web developers who find this the most familiar acronym in the world, but ... still, it would not kill anybody to include the definition of the acronym, perhaps even with a friendly link [1] to make it Even More Accessible.I'll be off looking at the lawn mowing robot, now.[1]: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS" rel="nofollow">https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS</a>

评论 #32908996 未加载

评论 #32914154 未加载

评论 #32908967 未加载