If I respond to a cors request that includes access-control-request-method:PUT
with response header access-control-allow-origin
matching the origin and just access-control-allow-method:PUT
and access-control-max-age:7200
will that be cached for 2 hours and always return only method PUT or will I be able to respond with just the specific method(s) requested if say the next request was access-control-request-method:POST?
and always return only method PUT or will I be able to respond with just the specific method(s) requested if say the next request was access-control-request-method:POST?
It will not always return only PUT
; if the next request has access-control-request-method: POST
, then the cache will be skipped and new request will be made to your server.
That’s per the relevant requirements in the Fetch spec (the spec that currently defines browser behavior for the CORS protocol); specifically, browsers are required to cache preflights per-method, and to only use the cache when there’s a “method cache match”.
So your first request with the PUT
method creates one preflight cache entry for PUT
requests, with an expiration of Access-Control-Max-Age
seconds — and any next request with a POST
method would create a separate preflight cache entry for POST
requests, with its own expiration of Access-Control-Max-Age
seconds.