corspreflight

What is cached with CORS Access-Control-Max-Age


If I respond to a cors request that includes access-control-request-method:PUT with response header access-control-allow-origin matching the origin and just access-control-allow-method:PUT and access-control-max-age:7200 will that be cached for 2 hours and always return only method PUT or will I be able to respond with just the specific method(s) requested if say the next request was access-control-request-method:POST?


Solution

  • and always return only method PUT or will I be able to respond with just the specific method(s) requested if say the next request was access-control-request-method:POST?

    It will not always return only PUT; if the next request has access-control-request-method: POST, then the cache will be skipped and new request will be made to your server.

    That’s per the relevant requirements in the Fetch spec (the spec that currently defines browser behavior for the CORS protocol); specifically, browsers are required to cache preflights per-method, and to only use the cache when there’s a “method cache match”.

    So your first request with the PUT method creates one preflight cache entry for PUT requests, with an expiration of Access-Control-Max-Age seconds — and any next request with a POST method would create a separate preflight cache entry for POST requests, with its own expiration of Access-Control-Max-Age seconds.