Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reducing the impact of preflight requests #223

Open
Alexendoo opened this issue Jan 10, 2017 · 1 comment
Open

Reducing the impact of preflight requests #223

Alexendoo opened this issue Jan 10, 2017 · 1 comment
Labels
A-Client-Server Issues affecting the CS API feature Suggestion for a significant extension which needs considerable consideration

Comments

@Alexendoo
Copy link

For quick reference, a preflight request is required to be performed by a user agent implementing CORS when any of the following conditions are met:

  • The method is something other than GET, POST or HEAD
  • A header other than Accept, Accept-Language, Content-Language or Content-Type is set manually
  • Content-Type has a value other than application/x-www-form-urlencoded, multipart/form-data, or text/plain

Since matrix uses Content-Type: application/json, all non-GET requests require a preflight, this means for example that sending any event to the server requires 2 requests, adding additional latency and a bit of overhead

Unfortunately there's no perfect solution to the problem, but here are some options:

Proxy requests through the same origin

This one shifts the work onto the client meaning nothing has to change spec wise, but has quite a few issues:

  • Requires trusting the proxy to handle sensitive information (login details)
  • Adds latency through indirection
  • Adds another point of failure
  • Not possible with static sites

Allow Content-Type: text/plain

Feels like a hack, but parsing plain text POST messages as if they were JSON would mean no preflight request. However this wouldn't help for the common path of sending messages to rooms which uses PUT

Improve preflight cacheability

Preflight requests can be optionally cached by the user agent indicated using the header Access-Control-Max-Age. However the cache is per URL not just the origin, meaning that any change in the path (which includes query parameters) warrants another preflight request

The large issue with this one is that it would require a breaking change to the API, with frequently changing parameters being placed in the JSON body or as HTTP headers

Websockets

Websockets have no such overhead once the connection is established, however whilst they do not require breaking API compatibility it's still a large spec addition

@richvdh
Copy link
Member

richvdh commented Mar 6, 2018

Thanks for the suggestions.

It's worth noting that since the the authorization has moved into the headers (matrix-org/matrix-js-sdk#478), the situation has got worse in that all requests now get preflighted, which I suggest means that

Proxy requests through the same origin:

Unfortunately requiring a server-side component for things like riot-web, and giving the matrix access-token to whoever is hosting your web client, are non starters for us.

Allow Content-Type: text/plain

As you say, this is a hack. I think it also won't help due to the authorization headers.

Improve preflight cacheability

This might help reduce the number of preflight requests, though I suspect it won't give a useful reduction without moving lots of things from path/query params into request bodies.

Websockets

This might be the most practical solution. I've opened https://github.com/matrix-org/matrix-doc/issues/1148 to track this.

@turt2live turt2live added the feature Suggestion for a significant extension which needs considerable consideration label Jul 19, 2018
@turt2live turt2live added the A-Client-Server Issues affecting the CS API label Feb 6, 2019
@richvdh richvdh transferred this issue from matrix-org/matrix-spec-proposals Mar 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-Client-Server Issues affecting the CS API feature Suggestion for a significant extension which needs considerable consideration
Projects
None yet
Development

No branches or pull requests

3 participants