Reputation: 3570
Prevent multiple OPTIONS request for the same domain
I am trying to develop a single page application (SPA) that uses as endpoint a domain that is different from the one hosted in the SPA domain (ie: site.com and site-api.com or api.site.com).
Access Control headers are already set up in the back-end, Max-Age included, however it does not seem to work.
Here's an example of what happens if I perform the same call multiple times:
These are the server headers:
- Access-Control-Allow-Headers:
AUTHORIZATION,CONTENT-TYPE - Access-Control-Allow-Methods:
PATCH - Access-Control-Allow-Origin:
http://tovertaal.test:3000 - Access-Control-Max-Age:
600
Shouldn't Max-Age 600 prevent every other OPTIONS request within 600 seconds from the first OPTIONS request?
The server endpoint is http://tovertaal-api.test.
Upvotes: 9
Views: 1515
Answers (1)
Reputation: 3570
I have finally discovered what was the issue. It seems like Chrome DevTools, when disable cache is active, also disables CORS Origin cache, so it keeps triggering OPTIONS request for stuff that should have been cached already.
Make sure to keep caching enabled if you want to test it!
Upvotes: 4
Related Questions
- handle multiple domains with Access-Control-Allow-Origin header in Apache
- Disable preflight OPTION request when sending a cross domain request with custom HTTP header
- Bypassing authentication for "Options request" (so all headers are sent in the response)
- Avoid defaulting to deny when a site has multiple headers for X-Frame-Options
- handling CORS preflight request in Apache
- htaccess - How to NOT send Access Control headers when same origin
- Repeated OPTIONS requests for cors / ajax requests
- CORS GET with custom headers: is it possible to get rid of OPTIONS
- Why multiple OPTIONS request are sent, even if Access-Control-Allow-Origin is set to *?
- Suppress OPTIONS Requests in Angular CORS