expressjs/cors

`Vary: Origin` should not be set if the `Origin` request header is ignored

Open

#332 opened on Oct 19, 2024

View on GitHub
 (1 comment) (1 reaction) (0 assignees)JavaScript (5,897 stars) (476 forks)batch import
3.xbughelp wanted

Description

The Vary HTTP response header is useful to ensure proper caching of CORS responses and prevent cache poisoning. However, it comes with a downside: (potentially significantly) increasing the cache size, since each client's origin will create a different cached value.

The standard mentions:

If Access-Control-Allow-Origin is set to * or a static origin for a particular resource, then configure the server to always send Access-Control-Allow-Origin in responses for the resource — for non-CORS requests as well as CORS requests — and do not use Vary.

In other words, if the CORS response is always the same regardless of the Origin request header, Vary: Origin should not be set. Currently, this module mostly gets it right except in two cases:

  1. If the origin option is a function, regardless of the return value of that function (including '*'), Vary: Origin should be set, since that function might (and most likely did) use the Origin request header.

https://github.com/expressjs/cors/blob/53312a5bee605e2486fa734756abb3c0bc2f891d/lib/index.js#L209-L216

https://github.com/expressjs/cors/blob/53312a5bee605e2486fa734756abb3c0bc2f891d/lib/index.js#L41-L46

  1. If the origin option is a string, Vary: Origin should not be set, since Access-Control-Allow-Origin is always the same value, and the Origin request header is ignored.

https://github.com/expressjs/cors/blob/53312a5bee605e2486fa734756abb3c0bc2f891d/lib/index.js#L47-L56

Contributor guide

Tech stack
javascriptnodejsexpress
Domain
backendapiperformance
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
2
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
under 1 hour
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Understanding of CORS protocolNode.js and Express basics
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
80
Research direction
Examine lib/index.js lines 41-56 and 209-216. The issue identifies two cases: when origin is a function, Vary should be set (already done); when origin is a string, Vary should not be set. The fix should modify the condition for adding Vary header. No maintainer questions or linked PRs visible.