Add Vary: Origin to CORS response headers #164
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Because the middleware is designed to allow multiple possible origins, by sending back the origin given as `Access-Control-Allowed-Origin` (if it's valid), we need to ensure those responses aren't cached and served to other origins, otherwise they will get CORS errors. Practically speaking, the request `Origin` should factor into any cache-key. According to the HTTP spec, you do this by including that header in `Vary`, so that's what this change does. Unfortunately, this may not always work. Fastly is known to work correctly[^1] but CloudFront does not[^2]. For CloudFront, you also have to configure your distribution itself to include `Origin` in the cache key via your `CachePolicy`, and this `Vary` header is ignored. [^1]: https://www.fastly.com/blog/getting-most-out-vary-fastly [^2]: https://stackoverflow.com/a/16546364
jason-lieb
approved these changes
May 10, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Because the middleware is designed to allow multiple possible origins,
by sending back the origin given as
Access-Control-Allowed-Origin(ifit's valid), we need to ensure those responses aren't cached and served
to other origins, otherwise they will get CORS errors. Practically
speaking, the request
Originshould factor into any cache-key.According to the HTTP spec, you do this by including that header in
Vary, so that's what this change does.Unfortunately, this may not always work. Fastly is known to work
correctly1 but CloudFront does not2. For CloudFront, you also have
to configure your distribution itself to include
Originin the cachekey via your
CachePolicy, and thisVaryheader is ignored.Footnotes
https://www.fastly.com/blog/getting-most-out-vary-fastly ↩
https://stackoverflow.com/a/16546364 ↩