> we had to deal with making CORS requests from app.example.com to api.example.com
What? If you share the same domain but a different sub domain then just set the document.domain property[1] so they trust each other and be done with it. You don't even need CORS...
Alternatively setup a proxy to keep everything behind the same domain. This is typically a best practice.
> In our case, since each CORs request makes a preflight check, it doubles this significant latency without adding any value.
Considering CORS contains no body and does no processing beyond asking what the client can and cannot do, it seems odd this would always "double" the latency here.
> After reading a great blog post and MDN’s CORS docs I realized there are circumstances where the browser does not make a preflight request, if conditions are met
Okay this is scaring me. Where are we going with this?
> In terms of security, all API calls should be using https and there is little difference in putting the token in headers or as part of the query string.
Yeah was afraid of that. Please don't do this especially if you use that URL in any way to give the user access to a link (e.g. downloading a file) because now it's part of their browser history and they can't completely log out.
> Thanks for reading this! I hope it helped, even if the conclusion is “preflight requests are too troublesome, I’m going proxy” :)
A proxy is the correct solution. Not this horrible hack fest of completely disregarding important HTTP headers. Sigh
What? If you share the same domain but a different sub domain then just set the document.domain property[1] so they trust each other and be done with it. You don't even need CORS...
Alternatively setup a proxy to keep everything behind the same domain. This is typically a best practice.
> In our case, since each CORs request makes a preflight check, it doubles this significant latency without adding any value.
Considering CORS contains no body and does no processing beyond asking what the client can and cannot do, it seems odd this would always "double" the latency here.
> After reading a great blog post and MDN’s CORS docs I realized there are circumstances where the browser does not make a preflight request, if conditions are met
Okay this is scaring me. Where are we going with this?
> In terms of security, all API calls should be using https and there is little difference in putting the token in headers or as part of the query string.
Yeah was afraid of that. Please don't do this especially if you use that URL in any way to give the user access to a link (e.g. downloading a file) because now it's part of their browser history and they can't completely log out.
> Thanks for reading this! I hope it helped, even if the conclusion is “preflight requests are too troublesome, I’m going proxy” :)
A proxy is the correct solution. Not this horrible hack fest of completely disregarding important HTTP headers. Sigh
[1] https://developer.mozilla.org/en-US/docs/Web/API/Document/do...