-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Network roundtrips doubled for API requests #6
Comments
Thanks for the feedback @petipp, I discussed this with @cfredric and we think that both suggested alternatives might be viable, but would like to explore the second option first as it gives 3p embed developers a little more control over consistency and security of their apps. cc @bvandersloot who was previously arguing for a closer integration with CORS and @arturjanc who has opinions on security things |
@johannhof Can you outline in a little more detail how the "second option" would work here? Would we store the fact that a particular URL opted into receiving credentialed requests by setting the Re: "automatic storage access for CORS", Fetch already has the |
@arturjanc Yeah we're coming up with a new proposal right now, in my mind this might be an explicit developer opt-in ala Right, I don't think it's hard to limit this access to CORS requests, we're already doing that with RWS / rSAFor today. I don't think that CORS in itself is sufficient for opt-in though, given the lack of preflights for most practically used requests. |
@johannhof That's fair. FWIW, CORS would be sufficient for us because our API is POST-based so there's always a preflight. |
Are you sure? My understanding is that POST isn't CORS-preflighted by default, but I haven't used it in practice in a long while. |
Ah, yeah, that makes sense! |
Hi @petipp, We're thinking of the scope of the "stickiness" discussed above. Would it be reasonable for your usecase to maintain stickiness for the exact URLs? including the query params and/or URL fragment |
Hi @sandormajor Would it be possible to aggregate them by a common path? Would that then require an additional (optional) to be returned with Activate-Storage-Access? e.g. something like this: |
@petipp Would you be willing to share a typical flow of requests for your use case with real(-ish) looking URLs? We're trying to understand whether scoping should support wildcards (e.g. so that anything under |
@arturjanc GET https://host:port/a/b/service/v2/GetServerInfo So if we could make the initial GET handle the SAH permissions for the POST requests then this would be perfect. So for our case a list of specific other endpoints would also work fine. I would prefer if the paths could be relative (e.g. ./GetResponse) just in case a reverse proxy is used. |
Hi @sandormajor Sorry for the delay. Yes, this looks like it would work for us. Though we currently only need to be able to provide a single URL, it would also be good to know that it would accept multiple URLs (comma-separated?). Is that included in the proposal? It didn't seem to be mentioned in the document. |
Hi @petipp, Thank you for the feedback! Yes, it is going to be an inner-list which has a space-separated syntax like this:
|
We have a SPA that uses pop-ups to establish web sessions (tracked in first-party cookies) to other user-defined domains and then uses CORS XHR/Fetch POST requests to execute queries on those remote systems.
In trying to enable the Storage Access API, we have created an iframe that requests access. However, the access request is scoped only to that specific iframe.
Somehow we need the ability to request access for the many network requests we will be making.
Will Storage Access Headers solve this?
On the surface it does look like it would functionally allow things to work by returning the correct headers. However, the requirement to double every network request (each one being first sent without cookies and then with cookies) will have terrible performance consequences particularly when the latency between browser and data source can be higher than 300ms. (e.g. 5 sequential network request = 1.5 seconds of extra waiting).
Two possible changes
The best option would be to address this by considering CORS to automatically request storage access for all API calls if configured with Access-Control-Allow-Credentials? The single OPTIONS request made at the beginning of the CORS workflow should be sufficient to determine that the data source requires cookies, and every API call thereafter should automatically be granted storage access if there is already a pending grant (i.e. created via an iframe calling requestStorageAccess).
As a compromise, the storage access headers could be required only for the first request sent to the given target API - and all further requests to the same top-level domain would benefit from the request.
The text was updated successfully, but these errors were encountered: