CORS Access-Control-Max-Age is ignored

http http-headers cors same-origin-policy access-control
21,920

Solution 1

If you are using Chrome Dev Tools, make sure you have "Disable cache (while DevTools is open)" unchecked. I was having issues with the "Access-Control-Max-Age" not being honored only to realize that I had that option checked.

Solution 2

Chrome/Blink imposes a max preflight time of 10 minutes (600 seconds). Here's the location in source code that defines this:

https://chromium.googlesource.com/chromium/blink/+/master/Source/core/loader/CrossOriginPreflightResultCache.cpp#40

Any preflight time above 10 minutes will be ignored, and 10 minutes will be used instead.

Different browsers may have different max age policies. Safari/WebKit caches for up to 5 minutes, while Firefox caches for up to 24 hours. The Chrome source code indicates that the max value exists in order to "minimize the risk of using a poisoned cache after switching to a secure network".

If the code can't parse the max-age header (or the server doesn't specify a max-age header), the browser defaults to 5 seconds.

Solution 3

I wouldn't rely too heavily on preflight caching.

From the spec:

User agents may clear cache entries before the time specified in the max-age field has passed.

Also, keep the following in mind, (from the CORS spec):

There is a cache match when there is a cache entry in the preflight result cache for which the following is true:

The origin field value is a case-sensitive match for source origin.

The url field value is a case-sensitive match for request URL.

The credentials field value is true and the omit credentials flag is unset, or it is false and the omit credentials flag is set.

Your screenshot does not provide a way to determine if any of the above are true.

Share:
21,920
Roland Schütz
Author by

Roland Schütz

Software Architect in Vienna http://rolandschuetz.at Check out my current project: Bancha - Seamlessly integrate CakePHP 2 with ExtJS 4 and Sencha Touch 2 http://banchaproject.org

Updated on November 22, 2020

Comments

  • Roland Schütz
    Roland Schütz over 3 years

    I'm hosting an WebApp and his API on different domains and use CORS to be able to work around the same origin policy. So far, so good. This works.

    To only send a CORS preflight once per session I set the Access-Control-Max-Age to 20 days, But this is not working (tested in Chrome): https://db.tt/vfIW3fD2

    What do I have to change?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

405 Method Not Allowed despite CORS
Access-Control-Request-Header: - x-requested-with
How do I use Access-Control-Allow-Origin? Does it just go in between the html head tags?
CORS and Origin header?
Setting HTTP headers
What does the sec-fetch-site header mean? Why is the Origin header undefined?
Cross-Origin request warning for google fonts
Flutter web integration test CORS XMLHttpRequest error
Headers not being set on http Flutter
Flutter - VideoPlayer - Support http headers while constructing video controller from network datasource