You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When the middleware is configured to reflect the request value of Access-Control-Request-Headers in the response value of Access-Control-Allow-Headers (as it is in the default configuration), it should also include Vary: Access-Control-Request-Headers in the response. Without this header, it's possible to trigger a situation where a downstream cache responds to an OPTIONS request using a cached response from an OPTIONS request with a different Access-Control-Request-Headers value. This could potentially result in either a permissible OPTIONS request being refused, or a non-permissible request being allowed.
The text was updated successfully, but these errors were encountered:
When the middleware is configured to reflect the request value of
Access-Control-Request-Headers
in the response value ofAccess-Control-Allow-Headers
(as it is in the default configuration), it should also includeVary: Access-Control-Request-Headers
in the response. Without this header, it's possible to trigger a situation where a downstream cache responds to an OPTIONS request using a cached response from an OPTIONS request with a differentAccess-Control-Request-Headers
value. This could potentially result in either a permissible OPTIONS request being refused, or a non-permissible request being allowed.The text was updated successfully, but these errors were encountered: