From b301a6b3db288ef50fbbf736262de7eed71eb5ef Mon Sep 17 00:00:00 2001
From: Rafael dos Santos Silva <xfalcox@gmail.com>
Date: Thu, 14 Oct 2021 22:37:53 -0300
Subject: [PATCH] FEATURE: Cache CORS preflight requests for 2h (#14614)

* FEATURE: Cache CORS preflight requests for 2h

Browsers will cache this for 5 seconds by default. If using MessageBus
in a different domain, Discourse will issue a new long polling, by
default, every 30s or so. This means we would be issuing a new preflight
request **every time**. This can be incredibly wasteful, so let's cache
the authorization in the client for 2h, which is the maximum Chromium
allows us as of today.

* fix tests
---
 config/initializers/008-rack-cors.rb | 1 +
 spec/components/hijack_spec.rb       | 6 ++++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/config/initializers/008-rack-cors.rb b/config/initializers/008-rack-cors.rb
index 96ab5ba6197..b03fb2568fb 100644
--- a/config/initializers/008-rack-cors.rb
+++ b/config/initializers/008-rack-cors.rb
@@ -45,6 +45,7 @@ class Discourse::Cors
       headers['Access-Control-Allow-Headers'] = 'Content-Type, Cache-Control, X-Requested-With, X-CSRF-Token, Discourse-Present, User-Api-Key, User-Api-Client-Id, Authorization'
       headers['Access-Control-Allow-Credentials'] = 'true'
       headers['Access-Control-Allow-Methods'] = 'POST, PUT, GET, OPTIONS, DELETE'
+      headers['Access-Control-Max-Age'] = '7200'
     end
 
     headers
diff --git a/spec/components/hijack_spec.rb b/spec/components/hijack_spec.rb
index 0ed3b0b4037..416ee4102b0 100644
--- a/spec/components/hijack_spec.rb
+++ b/spec/components/hijack_spec.rb
@@ -110,7 +110,8 @@ describe Hijack do
       "Access-Control-Allow-Origin" => "www.rainbows.com",
       "Access-Control-Allow-Headers" => "Content-Type, Cache-Control, X-Requested-With, X-CSRF-Token, Discourse-Present, User-Api-Key, User-Api-Client-Id, Authorization",
       "Access-Control-Allow-Credentials" => "true",
-      "Access-Control-Allow-Methods" => "POST, PUT, GET, OPTIONS, DELETE"
+      "Access-Control-Allow-Methods" => "POST, PUT, GET, OPTIONS, DELETE",
+      "Access-Control-Max-Age" => "7200",
     }
 
     expect(headers).to eq(expected)
@@ -147,7 +148,8 @@ describe Hijack do
       "Access-Control-Allow-Origin" => "https://www.rainbows.com",
       "Access-Control-Allow-Headers" => "Content-Type, Cache-Control, X-Requested-With, X-CSRF-Token, Discourse-Present, User-Api-Key, User-Api-Client-Id, Authorization",
       "Access-Control-Allow-Credentials" => "true",
-      "Access-Control-Allow-Methods" => "POST, PUT, GET, OPTIONS, DELETE"
+      "Access-Control-Allow-Methods" => "POST, PUT, GET, OPTIONS, DELETE",
+      "Access-Control-Max-Age" => "7200",
     }
 
     expect(headers).to eq(expected)