Comment #10 on issue 131368 by
adrian.d...@gmail.com: Chrome ignores
I am experiencing even more restrictive behaviour than what is mentioned in
this thread.
In my situation i am doing cross domain chunked uploads (multiple POSTs for
every file uploaded. My test cases have been with Chrome on android and
Chrome on iOS. I am initiating a file transfer and then monitoring it with
chrome://inspect in the network tab. I can see the client make repeated
OPTIONS requests which happen almost once for every POST request (sometimes
there are 2 POSTS before another OPTIONS). And happen much more frequently
than 10 minutes, on average OPTIONS is re-requested every 1.5 minutes.
I have confirmed that the Access-Control-Max-Age header is present in the
OPTIONS response headers, and it is set to 600 seconds.
Even if this did work correctly, and the OPTIONS request only happened
every 10 minutes, i would still prefer if i could set this parameter even
higher and not be restricted by the 600 second limit.
In my scenario i do not see the security risk with having a longer pre
flight approval time, because the only thing this server accepts are POST
and GET requests for images and videos. All the files headers are checked
server side (using python module magic) and discarded if they are not an
image or a video. So i see very little security risk. Even if there was a
bad actor that managed to poison the cache, the most they could do is
successfully upload a video or an image.
The cost of this client side security restriction is that that my slow
users (low signal 3G or HSPA) are wasting bandwidth repeatedly requesting
OPTIONS, which is effectively slowing down their upload speed.