[rfraile]

Instead of sending a request before every defined case in the CORS policy, it could be implemented requesting only one GET to a plain file (fully cacheable) with the domain policy definition.

Like robots.txt for the search engines.

[orf]

Except CORS policies can be dynamic, depending on the request context.

[ryanbrunner]

It doesn't seem impossible that the static file could have an indicator for "send an OPTIONS in this case". 95% of CORS setups don't need to look at the request beyond the origin requesting it (and I'd wager that almost all CORS-enabled APIs just blindly allow everything).

[dmw_ng]

This is how Macromedia Flash handled it a lifetime ago

[moralestapia]

Flash was 20 years ahead of its time (even though it already had its share of fame).

Apple killed it to pave way for the App Store. It was a shame because around that time Flash was at its peak of innovation, with stuff like Alchemy (whose modern day equivalent could be WebAssembly) and Flex (no-code thingy that was TRULY catching up, only 10 years ago). It was also starting to implement features like atomics, shared data buffers, app bundles, hardware-accelerated 3D, etc... They also went to great lenghts to open their VM, and the ecosystem that was being generated around that was awesome (anyone here used haXe back then?). It was also present on like 99% of devices already and it was the only thing at the time that truly felt like "write once, run anywhere" (HTML wasn't as feature-rich and still quite fragmented between browsers).

Flash was the single biggest threat to Apple's planned business model, and with it gone, Apple's road to becoming a trillion-dollar company has been a walk in the park.