1669780 - access-control-max-age is ignored

Status: VERIFIED FIXED

(Core :: Networking: HTTP, defect, P2)

Description

[Kongpheng.Nanthavongsa]

Attachment: Screenshot of preflight check for ClientEvent not being cached

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36

Steps to reproduce:

Go to http://meet.tokbox.com/testing-access-control-max-age
Open network tab so you can inspect API calls

Actual results:

There's a constant stream of preflight checks for "ClientEvent", even though the header access-control-max-age was set to 1728000.

Expected results:

Preflight checks should be cached to the value set by the header access-control-max-age. There should be, at most, only one preflight check for the lifetime set by access-control-max-age.

Comment 1

[Kershaw Chang [:kershaw]]

So, the problem is that we skip the CORS preflight cache at here. The reason is that the CORS request (https://hlg-dev.tokbox.com/qa/logging/ClientEvent) is using POST method and for POST method we set the LOAD_BYPASS_LOCAL_CACHE flag at here.

It seems that what we did in bug 1569715 is not right. Maybe we should not skip CORS preflight cache.

Anne, do you know if the spec describes whether we can bypass the CORS preflight cache?

Comment 2

[Anne (:annevk)]

See step 4.1 of https://fetch.spec.whatwg.org/#concept-http-fetch. The preflight cache is always checked.

Comment 3

[Valentin Gosu [:valentin] (he/him)]

(In reply to Anne (:annevk) from comment #2)

See step 4.1 of https://fetch.spec.whatwg.org/#concept-http-fetch. The preflight cache is always checked.

Thanks for the info. Let's back out bug 1569715 for now. Maybe we can find a better way around the CORS preflight cache that works for devtools only.

Comment 4

[Valentin Gosu [:valentin] (he/him)]

Attachment: Bug 1669780 - Backed out changeset 29d1be2b96f9 (Bug 1569715) for causing us to skip CORS preflight cache for POST requests r=#necko

Comment 5

[Pulsebot]

Pushed by valentin.gosu@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/a15ccb198dcb
Backed out changeset 29d1be2b96f9 (Bug 1569715) for causing us to skip CORS preflight cache for POST requests r=necko-reviewers,kershaw

Comment 6

[Narcis Beleuzu [:NarcisB]]

https://hg.mozilla.org/mozilla-central/rev/a15ccb198dcb

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:valentin, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Comment 8

[Valentin Gosu [:valentin] (he/him)]

Comment on attachment 9181968 [details]
Bug 1669780 - Backed out changeset 29d1be2b96f9 (Bug 1569715) for causing us to skip CORS preflight cache for POST requests r=#necko

Beta/Release Uplift Approval Request

• User impact if declined: Unnecessary CORS requests will be made for POST requests
• Is this code covered by automated tests?: No
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: Yes
• If yes, steps to reproduce: see comment 0
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): This is just a backout with no extra changes.
• String changes made/needed:

Comment 9

[Pascal Chevrel:pascalc (PTO until April 26)]

Comment on attachment 9181968 [details]
Bug 1669780 - Backed out changeset 29d1be2b96f9 (Bug 1569715) for causing us to skip CORS preflight cache for POST requests r=#necko

Approved for 83 beta 6, thanks.

Comment 10

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/releases/mozilla-beta/rev/aa869beefa20

Comment 11

[Raluca Popovici, Desktop QA]

Reproduced the initial issue in Beta 83.0b5 and Release 82.0.2 using Windows 10.
Verified - Fixed in latest Nightly 84.0a1 (build id: 20201029040710) and Beta 83.0b6 (build id: 20201028180355), using Windows 10, Ubuntu 18.04 and Mac 10.15.