Due to feedback from a number of people, among others the Blogger team at Google, Ian Hickson and I came up with a proposal to create less load on the server for cross-site requests using an HTTP method other than
GET. Until now such requests would require two requests for each distinct URI. A preflight request that can be cached and the actual request. Requests following those two, to the same URI, would no longer require the preflight request (if cached) but a distinct URI on the same server would. Especially for REST APIs this is not really cool. The new proposal allows you to specify a policy path in response to the initial preflight request using the new
Method-Check-Policy-Path HTTP response header. A request is then made to that URI and if that satisfies all conditions (proper
Access-Control header and
Method-Check-Policy-Path header that points to the same URI) all URIs that start with that URI will not require a preflight request, but instead go straight through. The only downside is that the specification has became more complex.
This didn't make any sense to me at all. Could you please post a couple of request-response examples on how this would work in practice?
Some simple ones are in the draft. The draft is changing slightly though.