when configured to reflect Access-Control-Request-Headers, should also use Vary: Access-Control-Request-Headers

[jfirebaugh]

When the middleware is configured to reflect the request value of Access-Control-Request-Headers in the response value of Access-Control-Allow-Headers (as it is in the default configuration), it should also include Vary: Access-Control-Request-Headers in the response. Without this header, it's possible to trigger a situation where a downstream cache responds to an OPTIONS request using a cached response from an OPTIONS request with a different Access-Control-Request-Headers value. This could potentially result in either a permissible OPTIONS request being refused, or a non-permissible request being allowed.

[troygoode]

good catch @jfirebaugh - I'll try to address it soon

[bjoernwenzel-tommapps]

+1

[dougwilson]

I pushed a fix for the next version 👍

[troygoode]

thanks for taking care of this @dougwilson – as well as some of the other recent work. I've bumped and published as 2.8.2