expressjs/cors

`Vary: Origin` should not be set if the `Origin` request header is ignored

Open

#332 opened on 2024年10月19日

GitHub で見る
 (1 comment) (1 reaction) (0 assignees)JavaScript (476 forks)batch import
3.xbughelp wanted

Repository metrics

Stars
 (5,897 stars)
PR merge metrics
 (30d に merged PR はありません)

説明

The Vary HTTP response header is useful to ensure proper caching of CORS responses and prevent cache poisoning. However, it comes with a downside: (potentially significantly) increasing the cache size, since each client's origin will create a different cached value.

The standard mentions:

If Access-Control-Allow-Origin is set to * or a static origin for a particular resource, then configure the server to always send Access-Control-Allow-Origin in responses for the resource — for non-CORS requests as well as CORS requests — and do not use Vary.

In other words, if the CORS response is always the same regardless of the Origin request header, Vary: Origin should not be set. Currently, this module mostly gets it right except in two cases:

  1. If the origin option is a function, regardless of the return value of that function (including '*'), Vary: Origin should be set, since that function might (and most likely did) use the Origin request header.

https://github.com/expressjs/cors/blob/53312a5bee605e2486fa734756abb3c0bc2f891d/lib/index.js#L209-L216

https://github.com/expressjs/cors/blob/53312a5bee605e2486fa734756abb3c0bc2f891d/lib/index.js#L41-L46

  1. If the origin option is a string, Vary: Origin should not be set, since Access-Control-Allow-Origin is always the same value, and the Origin request header is ignored.

https://github.com/expressjs/cors/blob/53312a5bee605e2486fa734756abb3c0bc2f891d/lib/index.js#L47-L56

コントリビューターガイド