diff --git a/fetch.bs b/fetch.bs index f6e941a5b..c5f532363 100644 --- a/fetch.bs +++ b/fetch.bs @@ -5664,6 +5664,26 @@ however, it is perfectly fine to do so.
Vary: Origin+
In particular, consider what happens if `Vary
` is not used and a server is
+configured to send `Access-Control-Allow-Origin
` for a certain
+resource only in response to a CORS request. When a user agent receives a response to a
+non-CORS request for that resource (for example, as the result of a navigation
+request), the response will lack `Access-Control-Allow-Origin
`
+and the user agent will cache that response. Then, if the user agent subsequently encounters a
+CORS request for the resource, it will use that cached response from the previous
+non-CORS request, without `Access-Control-Allow-Origin
`.
+
+
But if `Vary: Origin
` is used in the same scenario described above, it will cause
+the user agent to fetch a response that includes
+`Access-Control-Allow-Origin
`, rather than using the cached response
+from the previous non-CORS request that lacks
+`Access-Control-Allow-Origin
`.
+
+
However, if `Access-Control-Allow-Origin
` is set to
+*
or a static origin for a particular resource, then configure the server
+to always send `Access-Control-Allow-Origin
` in responses for the
+resource — for non-CORS requests as well as CORS
+requests — and do not use `Vary
`.