Network roundtrips doubled for API requests #6
Comments
|
Thanks for the feedback @petipp, I discussed this with @cfredric and we think that both suggested alternatives might be viable, but would like to explore the second option first as it gives 3p embed developers a little more control over consistency and security of their apps. cc @bvandersloot who was previously arguing for a closer integration with CORS and @arturjanc who has opinions on security things |
|
@johannhof Can you outline in a little more detail how the "second option" would work here? Would we store the fact that a particular URL opted into receiving credentialed requests by setting the Re: "automatic storage access for CORS", Fetch already has the |
|
@arturjanc Yeah we're coming up with a new proposal right now, in my mind this might be an explicit developer opt-in ala Right, I don't think it's hard to limit this access to CORS requests, we're already doing that with RWS / rSAFor today. I don't think that CORS in itself is sufficient for opt-in though, given the lack of preflights for most practically used requests. |
|
@johannhof That's fair. FWIW, CORS would be sufficient for us because our API is POST-based so there's always a preflight. |
|
Are you sure? My understanding is that POST isn't CORS-preflighted by default, but I haven't used it in practice in a long while. |
|
I see. Yes, we definitely do have the preflight: But looking further at it, it seems to be because of custom headers, if I read this correctly: |
|
Ah, yeah, that makes sense! |
and others
We have a SPA that uses pop-ups to establish web sessions (tracked in first-party cookies) to other user-defined domains and then uses CORS XHR/Fetch POST requests to execute queries on those remote systems.
In trying to enable the Storage Access API, we have created an iframe that requests access. However, the access request is scoped only to that specific iframe.
Somehow we need the ability to request access for the many network requests we will be making.
Will Storage Access Headers solve this?
On the surface it does look like it would functionally allow things to work by returning the correct headers. However, the requirement to double every network request (each one being first sent without cookies and then with cookies) will have terrible performance consequences particularly when the latency between browser and data source can be higher than 300ms. (e.g. 5 sequential network request = 1.5 seconds of extra waiting).
Two possible changes
The best option would be to address this by considering CORS to automatically request storage access for all API calls if configured with Access-Control-Allow-Credentials? The single OPTIONS request made at the beginning of the CORS workflow should be sufficient to determine that the data source requires cookies, and every API call thereafter should automatically be granted storage access if there is already a pending grant (i.e. created via an iframe calling requestStorageAccess).
As a compromise, the storage access headers could be required only for the first request sent to the given target API - and all further requests to the same top-level domain would benefit from the request.
The text was updated successfully, but these errors were encountered: