bingalls (2) [Avatar] Offline
#1
Nice book!
I'd like to see coverage of the following:
Impact of infrastructure, such as firewalls, redirectors, such as round robin DNS or cisco load director.
Impact of hybrid systems. For example, I might have
IPSEC IPv4 STS HTTP 1.0 system making CORS requests from an insecure IPv6 HTTP 2.0 (SPDY) CDN.

You might add a warning for people using, say, a CDN with dynamically generated URIs. This might work well, when testing on desktops, but the move to a mobile device will inject pre-flight caching, breaking your system.

Can any HTTP options be used inside a CORS request? Do HTTP options on the primary request impact CORS? In particular, I'm thinking that the Cache Pragma will fix the problem above. Don't forget HTTP 2.0.

How about the view from the CORS target server (e.g. CDN). Can it recognize CORS requests, and treat them differently? Could this help debugging?

What is the impact of CORS on SEO, and can we accommodate? It seems that search engines will barely notice CORS, which could lead to black hat tricks. Google has a SEO standard for AJAX. Anything like this for CORS?

BTW, every modern browser now supports CORS, except Opera Mini (Mobile). I'm guessing that Opera Mini's server compression technique will prevent it from ever supporting CORS.

I believe there is still time, for public comments on HTTP 2.0. What could be changed, to better accommodate CORS?
monsur.hossain (22) [Avatar] Offline
#2
Re: Feature Request
Thank you for your feedback. You raise some excellent points. Some of these issues will be covered in the "Best Practices" chapter. The first few chapters are devoted to explaining the high-level concepts in CORS, while the "Best Practices" chapter will cover the details of building a production-ready system.

I am not as familiar with HTTP 2.0 and CORS, but I will take a look. If you have specific concerns, you can raise them with the W3C, who own the CORS spec. Check the "Status of this Document" section in the CORS spec for details on how to do this: http://www.w3.org/TR/cors/

Thanks!
monsur.hossain (22) [Avatar] Offline
#3
Re: Feature Request
Hi Bruce. I was reviewing your comments as I write chapter 6, and I was wondering what you meant by:

> You might add a warning for people using, say, a CDN
> with dynamically generated URIs. This might work
> well, when testing on desktops, but the move to a
> mobile device will inject pre-flight caching,
> breaking your system.

Could you provide an example of how things would break when moving to mobile? Preflight caching is present on both desktop and mobile browsers, so I don't see why they would behave differently. Thanks!