Re: Issue 131368 in chromium: Chrome ignores Access-Control-Max-Age for CORS

128 views
Skip to first unread message

chro...@googlecode.com

unread,
Jun 8, 2012, 3:47:22 PM6/8/12
to chromi...@chromium.org
Updates:
Summary: Chrome ignores Access-Control-Max-Age for CORS
Status: Untriaged
Labels: -Area-Internals -OS-Windows -Internals-Network-HTTP
-Internals-Network-Cache Area-WebKit WebKit-Core

Comment #6 on issue 131368 by rva...@chromium.org: Chrome ignores
Access-Control-Max-Age for CORS
http://code.google.com/p/chromium/issues/detail?id=131368

Thanks for the explanation.

This is a WebKit issue then, not related to the HTTP cache.

chro...@googlecode.com

unread,
Jun 4, 2015, 3:46:08 PM6/4/15
to chromi...@chromium.org

Comment #9 on issue 131368 by ComputMa...@gmail.com: Chrome ignores
Access-Control-Max-Age for CORS
https://code.google.com/p/chromium/issues/detail?id=131368

Can anyone explain why Chrome/WebKit chooses to ignore the
Access-Control-Max-Age header if it is greater than 10 minutes? Shouldn't
the server returning this header be trusted to make the decision (hence the
existence of the header?)

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

chro...@googlecode.com

unread,
Jun 15, 2015, 6:35:25 PM6/15/15
to chromi...@chromium.org

Comment #10 on issue 131368 by adrian.d...@gmail.com: Chrome ignores
I am experiencing even more restrictive behaviour than what is mentioned in
this thread.

In my situation i am doing cross domain chunked uploads (multiple POSTs for
every file uploaded. My test cases have been with Chrome on android and
Chrome on iOS. I am initiating a file transfer and then monitoring it with
chrome://inspect in the network tab. I can see the client make repeated
OPTIONS requests which happen almost once for every POST request (sometimes
there are 2 POSTS before another OPTIONS). And happen much more frequently
than 10 minutes, on average OPTIONS is re-requested every 1.5 minutes.

I have confirmed that the Access-Control-Max-Age header is present in the
OPTIONS response headers, and it is set to 600 seconds.

Even if this did work correctly, and the OPTIONS request only happened
every 10 minutes, i would still prefer if i could set this parameter even
higher and not be restricted by the 600 second limit.

In my scenario i do not see the security risk with having a longer pre
flight approval time, because the only thing this server accepts are POST
and GET requests for images and videos. All the files headers are checked
server side (using python module magic) and discarded if they are not an
image or a video. So i see very little security risk. Even if there was a
bad actor that managed to poison the cache, the most they could do is
successfully upload a video or an image.

The cost of this client side security restriction is that that my slow
users (low signal 3G or HSPA) are wasting bandwidth repeatedly requesting
OPTIONS, which is effectively slowing down their upload speed.

chro...@googlecode.com

unread,
Jun 15, 2015, 6:58:25 PM6/15/15
to chromi...@chromium.org
Updates:
Status: Assigned
Owner: jap...@chromium.org

Comment #11 on issue 131368 by paulir...@chromium.org: Chrome ignores
japhet, can you take a look at this one?

chro...@googlecode.com

unread,
Jun 15, 2015, 7:20:26 PM6/15/15
to chromi...@chromium.org
Updates:
Owner: mk...@chromium.org
Cc: jap...@chromium.org

Comment #12 on issue 131368 by jap...@chromium.org: Chrome ignores
mkwst is probably the best owner for CORS stuff?

chro...@googlecode.com

unread,
Oct 13, 2015, 6:18:55 AM10/13/15
to chromi...@chromium.org

Comment #15 on issue 131368 by Holmes.W...@gmail.com: Chrome ignores
(bump) Is there any more update on this issue?
Were experiencing the same problems (doesn't seem to be an issue on FF).

Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:Origin, X-Requested-With, Content-Type,
Cookie, Accept
Access-Control-Allow-Methods:GET,HEAD,POST,PUT,DELETE,TRACE,OPTIONS,PATCH
Access-Control-Allow-Origin:http://mylocalserver.com:8080
Access-Control-Max-Age:600
Connection:keep-alive
Date:Tue, 13 Oct 2015 09:22:03 GMT
Vary:Origin
X-Powered-By:Express

Regardless of the "Access-Control-Max-Age" value, Chrome doesn't seem to
cache the pre-flight Options.
Reply all
Reply to author
Forward
0 new messages