d79dcef4a6
CORS preflight for POST, PUT, DELETE makes every mutation operation require 2 round trips with the server. This can increase latency for any application running on a different origin. There is a workaround available in modern browsers: use POST with Content-Type: text/plain. This does not require CORS preflight, as servers should already be using XSRF protection strategies. Unfortunately this is incompatible with the current REST API, as many operations require PUT or DELETE methods, and a Content-Type of application/json. Support the requester to select a different method using query parameter '$m' and Content-Type with '$ct' in the URL, mocking the request with those. Using this style of request still requires the user session to be valid for access. Accept identity through the query parameters as 'access_token'. The XSRF token isn't necessary in this type of request as only permitted websites would be allowed to read cookie content to obtain the GerritAccount cookie value and include it in the URL. Change-Id: Ic7bc5ad2e57eef27b0d2e13523be78e8a2d0a65c |
||
|---|---|---|
| .. | ||
| http/jetty | ||
| init | ||