Closed jub0bs closed 1 year ago
Sure? Right now, the spec says it should be inserted as step 7.8, but it could be step 7.1. I've no strong opinion about that.
@letitz For context, my line of thought was that processing the ACAM and ACAH headers can potentially be costly (e.g. if the server responds with long header values). We could avoid all that work if the request's issuing origin happens to resolve to a less private network and the server hasn't allowed PNA.
Fair enough! Would you care to send a PR?
@letitz I can certainly do that :)
Great, thanks!
This should have been closed when #90 was merged.
@letitz Weird, I thought I had left a comment on this... Anyway, have you created a crbug to track this change in Chromium? One reason I'm asking is that maintainers of CORS middleware may accordingly want to adjust the order in which they check things.
I was also briefly confused, having déjà vu... It's because you left the comment and I replied on the PR (#90)!
@letitz Sorry! All good.
In section 3.1.2. (entitled CORS preflight), item 4.2 reads as follows (please ignore the difference in numbering format):
(my emphasis)
Is there a reason this step comes "so" late? For performance reasons, could that step not be moved, for instance, to immediately after the CORS check that takes place at step 7 of CORS-preflight fetch?