-
Notifications
You must be signed in to change notification settings - Fork 10k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORS redesign in 3.0 #3452
Comments
The Fetch spec states that clients should only execute required CORS calls. Leaving out the filtering of cors calls will reduce load-times slightly. It also allows non-compliant clients to function properly. In my opinion having no filtering and some non-compliant work is better than having the filtering, being compliant but forcing clients to resort to other methods to access the application. |
@FlyingWraptor what do you mean by filtering? |
@pranavkm Filtering, enforcing... |
Ahh, yup. I entirely agree. I spent a some time a couple weekends ago to see what it would look like to clean up the filtering - aspnet/CORS@14edbf3, just haven't gotten to verify if it's spec compliant. |
@pranavkm Let's queue all these things for 3.0 and revamp the implementation. |
Are you certain frameworks have this sort of control over the inherent browser implementation of things like CORS and same-origin policy? IOW, frameworks should be subject to the browser behavior, not that frameworks instructor browsers how to behave for such features. |
@brockallen I am not, but it does this for both my simple Cross-Origin GET and POST requests, (Which is what alarmed me about this issue). After some testing (I do not fully remember correctly) I believe it required valid cors responses for any requests going to a different dns name. |
@javiercn, @mkArtakMSFT, is there any proposal of improvement(s)? I'm currently facing inability to extend CORS as is. There's one corner-case: imagine you have I was thinking of:
This way, I would be able to create my own Is it worth opening PR now? |
@wdolek Thanks for contacting us. We haven't started gathering information to do this yet. Regarding your specific issue, is it something like contoso.* what you want? I believe you can already set a delegate on CorsOptions to do this. I would hold off on sending a PR for this as we want to take our time to look at all scenarios and how they fit together. |
@javiercn Thank you for fast response! Yes, I can somehow do it even now, sort of, but everything what came to my mind was bit hackish (closures to hold settings?). I will try to rethink it and apply solution to current Is there any board where I could check progress on decisions/ideas/direction of CORS improvements? |
Not really, I filed an issue to keep track of this, but I don't know if we'll do it for 3.0 |
Closing this as there is no real need for this and we've had a bunch of improvements in this area recently. |
Our CORS implementation leaves some room for improvement. We keep getting issues from customers about it.
We should take 3.0 as an opportunity to revisit the scenarios customers need to support and to update our implementation to be cleaner and more straightforward as we keep getting issues from customers that are hard to fix or make our CORS implementation too complicated and confusing
The text was updated successfully, but these errors were encountered: