CORS Access-Control-Max-Age is ignored

[Derek Perkins]

Sometime recently, I don't know when, my web app stopped caching pre-flight CORS requests. My CORS setup hasn't changed and my requests still authenticate, so I know it isn't broken, but it now makes an OPTIONS request on every single call. We have a SPA and especially on dashboards use the same endpoints repeatedly. Has something changed in the allowed headers or nginx architecture that would have made this stop working?

Thanks,

Derek

[Derek Perkins]

For further clarification, the front end is not running on GAE, and the backend is running on GAE Flexible using Go. Here are the headers that I'm receiving in Chrome for both the OPTIONS and POST requests.

(sorry if the log image comes through super large, the only options were too small to read or larger than my screen)

OPTIONS headers:

1. access-control-allow-credentials:
   true
2. access-control-allow-headers:
   Accept, Authorization, Content-Type, Accept-Encoding
3. access-control-allow-methods:
   POST, GET, OPTIONS, PUT, PATCH, DELETE
4. access-control-allow-origin:
   https://app.domain.com
5. access-control-max-age:
   1728000

POST headers:

1. access-control-allow-credentials:
   true
2. access-control-allow-origin:
   https://app.domain.com

[Nick (Cloud Platform Support)]

Hey Derek,

Have you deployed recently? And do you use a custom runtime, or one of the default "vm: true, runtime: <language>" runtimes? I ask to try to determine what's responsible for the caching behaviour. Also, could you send your project ID to me at my email directly?

Cheers,

Nick
Cloud Platform Community Support