My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
  Advanced search   Search tips   Subscriptions
Issue 131368: Chrome ignores Access-Control-Max-Age for CORS
4 people starred this issue and may be notified of changes. Back to list
Status:  Untriaged
Owner:  ----

Sign in to add a comment
Reported by, Jun 6, 2012
Chrome Version: 19.0.1084.52 (Официальная сборка 138391) m
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)

What steps will reproduce the problem?
1. Open , open Developer Tools and switch to Console tab.
2. Run the following code snippet:
var xhr = new XMLHttpRequest();"POST", "", true); xhr.setRequestHeader("X-Requested-With", "XmlHttpRequest"); xhr.send();
3. Switch to Network tab and be sure that there were two requests: OPTIONS and POST. Check that in response to OPTIONS request presents header Access-Control-Max-Age:365000
4. Wait about 10-15 minutes and repeat step 2.

What is the expected result?
Only one POST request performed on step 4.

What happens instead?
Two requests performed again: OPTIONS and POST.

Jun 6, 2012
(No comment was entered for this change.)
Labels: Internals-Network-HTTP
Jun 7, 2012
(No comment was entered for this change.)
Labels: -Area-Undefined Area-Internals Internals-Network-Cache
Jun 7, 2012
I'm not sure I understand the issue...

We don't cache OPTIONS(*), so any max-age header there is irrelevant.

(*) OPTIONS is not cacheable by the RFC 2616.

If that's not what you meant, please follow
Status: WontFix
Jun 7, 2012
> We don't cache OPTIONS(*), so any max-age header there is irrelevant.

That's not true, actually.
Chrome caches OPTIONS request but only for 10 minutes and I was talking about this in report. If you carefully read reproducing steps and perform several requests on step 2 then you will see that only first request issues OPTIONS request and subsequent requests doesn't.

According to which is actually describes CORS and Access-Control-Max-Age header results of preflight requests can be cached by UA in preflight result cache.
But "can be" we should read as "should be" because caching is a very important and basic UA ability and should be done anyway I think - and Chrome does it but ignores Access-Control-Max-Age value sent in response. Imagine that all browsers stop caching network resources - this will lead to internet collapse.

I've collected network data according to and you can see that OPTIONS request is cached only for about 10 minutes independently from Access-Control-Max-Age header value.

Hope, I've correctly described situation.
540 KB   View   Download
Jun 8, 2012
I've found some code in that seems has a relation to the problem.

static const unsigned maxPreflightCacheTimeoutSeconds = 600; // Should be short enough to minimize the risk of using a poisoned cache after switching to a secure network.

    unsigned expiryDelta;
    if (parseAccessControlMaxAge(response.httpHeaderField("Access-Control-Max-Age"), expiryDelta)) {
        if (expiryDelta > maxPreflightCacheTimeoutSeconds)
            expiryDelta = maxPreflightCacheTimeoutSeconds;
    } else
        expiryDelta = defaultPreflightCacheTimeoutSeconds;

I don't know why this is done, because any value specified in Access-Control-Max-Age header more than maxPreflightCacheTimeoutSeconds will be ignored and expiration will be set to maxPreflightCacheTimeoutSeconds in this case.

This looks like some hack for me and does not correspond to specification.
Could you please check this?

PS: I am digging now into another problem when Chrome sometimes sends buggy POST XHR (with Content-Length=0 and corrupted body) right after cors preflight request. But at the moment I can not reproduce this by myself - I only see this fail in server logs.
Jun 8, 2012
Thanks for the explanation.

This is a WebKit issue then, not related to the HTTP cache.
Summary: Chrome ignores Access-Control-Max-Age for CORS
Status: Untriaged
Labels: -Area-Internals -OS-Windows -Internals-Network-HTTP -Internals-Network-Cache Area-WebKit WebKit-Core
Mar 10, 2013
(No comment was entered for this change.)
Labels: -Area-WebKit -WebKit-Core Cr-Content Cr-Content-Core
Apr 5, 2013
(No comment was entered for this change.)
Labels: -Cr-Content Cr-Blink
Sign in to add a comment

Powered by Google Project Hosting