Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
fix(cors) set missing vary=origin #3765
When Access-Control-Allow-Origin is not *, the cors plugins normally
When that happens, the browser is told to uses its cache even when the
@nijikokun I read through the documentations you posted and it does look like the cache handling through the use of Vary could be improved. However, I am thinking that currently the CORS plugin has a bug in its handling of the cache when credentials=true and this PR has value in fixing that. What do you think?
With that in mind, I modified the CORS tests in a second commit. After looking at the existing tests for the cors plugin, I thought that adding a check in the different relevant tests for header Vary=Origin would cover the most ground. Since there was already a test where credentials=true, then checking for Vary=Origin in there shows that the test fails with the current master branch while it passes once my PR is applied.
I could add an is_nil() check for header Vary in all the other CORS tests if you would like.
thibaultcha left a comment
LGTM. I agree with your statement @marckhouzam:
Yes, this is entirely in the scope of this PR, and the point you previously raised can be addressed in a subsequent improvement (for which we would welcome another PR, of course!).
If you have time for it, that would be great! Approving it, but waiting on it before merging.