Cache CORS preflight response for access-control-max-age seconds

[jfallows]

From the fetch standard

Access-Control-Max-Age
Indicates how long the information provided by the Access-Control-Allow-Methods and Access-Control-Allow-Headers headers can be cached.

--

The access-control-allow-origin response header is not explicitly mentioned as being cached, because the CORS preflight response is being made in the context of a specific CORS preflight request origin.

The safest policy for guaranteed consistency with cross origin server intent would be to cache separate responses per access-control-allow-origin response header value.

The access-control-allow-origin response header values of cached CORS preflight responses can then be matched against each subsequent CORS preflight origin request header, including wildcard match when access-control-allow-origin: *.

The access-control-allow-credentials: true is also not explicitly mentioned as being cached, though if browsers may reuse the previous CORS preflight response to allow the next cross origin request to the same URL with credentials as well, then it appears to be implicitly cached also.