Anne van Kesteren


Due to feedback from a number of people, among others the Blogger team at Google, Ian Hickson and I came up with a proposal to create less load on the server for cross-site requests using an HTTP method other than GET. Until now such requests would require two requests for each distinct URI. A preflight request that can be cached and the actual request. Requests following those two, to the same URI, would no longer require the preflight request (if cached) but a distinct URI on the same server would. Especially for REST APIs this is not really cool. The new proposal allows you to specify a policy path in response to the initial preflight request using the new Method-Check-Policy-Path HTTP response header. A request is then made to that URI and if that satisfies all conditions (proper Access-Control header and Method-Check-Policy-Path header that points to the same URI) all URIs that start with that URI will not require a preflight request, but instead go straight through. The only downside is that the specification has became more complex.


  1. This didn't make any sense to me at all. Could you please post a couple of request-response examples on how this would work in practice?

    Posted by Asbjørn Ulsberg at

  2. Some simple ones are in the draft. The draft is changing slightly though.

    Posted by Anne van Kesteren at