Add Origin to Vary header on credentialed CORS response #1
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
According to the MDN CORS docs, the
Origin
item should be added to theVary
header list whenthe
Access-Control-Allow-Origin
is set to an explicit origin value when it could change due tosomething like
allow_origins
being the*
wildcard, a multi-item whitelist orallow_origin_regex
being in use.
The existing code fails to update the
Vary
list when the server is configured to allow allorigins (
*
) and the request has aCookie
header (ie. credentialed). In that situation, theAccess-Control-Allow-Origin
header will be set to the request'sOrigin
value. It shouldbe noted that the code does currently update the
Vary
list when the allowed origins aredefined by an explicit whitelist (even if it only has one value and doesn't actually vary) or
a regex pattern.
It appears this may have just been a simple oversight in the original implementation. This updates
the code to add
Origin
to theVary
header under these circumstances. If it was intentionallyomitted, I'd be delighted to learn why.