Default value of Access-Control-Max-Age in Chromium

[worki...@gmail.com]

Hi everyone,

I have a question about how Chromium handles CORS preflight requests. I am sorry, if the topic shouldn't be in this group. Please let me know which group is the right one.

As I understand, Chromium specifies a default value of 5 seconds for "Access-Control-Max-Age" if the header doesn't present. The 5 seconds time duration seems a little bit too short to me. Can someone please tell me what the reasons are to use such a small time duration?

Thanks,
Rong

[Eric Lawrence]

Chrome indeed does use a 5 second timeout; the specification calls for 0 seconds[1]. 

In general, web developers expect to be in control of the caching behavior of their sites and policies, and max-age is the mechanism by which they do so. While I believe 5 seconds to be somewhat arbitrary (performance, functionality, and security risk are all inputs), a site should be specifying a max-age if they expect to reuse a single pre-flight across multiple requests. If the browser had a higher default, it broadens the duration of exposure if a site changes their policy (e.g. they accidentally over-granted permissions).

Chrome also limits any access-control-max-age (if specified) to 10 minutes, a behavior which is a bit more controversial.

-Eric

[1] Let max-age be the result of extracting header list values given `Access-Control-Max-Age` and response’s header list.

If max-age is failure or null, then set max-age to zero.