expressjs/cors

`Vary: Origin` should not be set if the `Origin` request header is ignored

Open

#332 aberto em 19 de out. de 2024

Ver no GitHub
 (1 comment) (1 reaction) (0 assignees)JavaScript (5.897 stars) (476 forks)batch import
3.xbughelp wanted

Description

The Vary HTTP response header is useful to ensure proper caching of CORS responses and prevent cache poisoning. However, it comes with a downside: (potentially significantly) increasing the cache size, since each client's origin will create a different cached value.

The standard mentions:

If Access-Control-Allow-Origin is set to * or a static origin for a particular resource, then configure the server to always send Access-Control-Allow-Origin in responses for the resource — for non-CORS requests as well as CORS requests — and do not use Vary.

In other words, if the CORS response is always the same regardless of the Origin request header, Vary: Origin should not be set. Currently, this module mostly gets it right except in two cases:

  1. If the origin option is a function, regardless of the return value of that function (including '*'), Vary: Origin should be set, since that function might (and most likely did) use the Origin request header.

https://github.com/expressjs/cors/blob/53312a5bee605e2486fa734756abb3c0bc2f891d/lib/index.js#L209-L216

https://github.com/expressjs/cors/blob/53312a5bee605e2486fa734756abb3c0bc2f891d/lib/index.js#L41-L46

  1. If the origin option is a string, Vary: Origin should not be set, since Access-Control-Allow-Origin is always the same value, and the Origin request header is ignored.

https://github.com/expressjs/cors/blob/53312a5bee605e2486fa734756abb3c0bc2f891d/lib/index.js#L47-L56

Guia do colaborador

Pilha de tecnologia
javascriptnodejsexpress
Domain
backendapiperformance
Tipo Issue
bug
DifficultyDificuldade de implementação estimada para um novo contribuidor, de 1 para alterações muito pequenas a 5 para trabalho de nível especializado.
2
Tempo estimadoUm intervalo de tempo aproximado para um colaborador experiente investigar, implementar, testar e preparar um pull request.
under 1 hour
Status da atividadeQuão disponível o issue aparece agora: novo, ativo, obsoleto, bloqueado ou aguardando entrada do mantenedor.
fresh
ClarityCom que clareza o issue explica a mudança esperada, os critérios de aceitação e a próxima etapa.
clear
Prerequisites
Understanding of CORS protocolNode.js and Express basics
Simpatia para novatosUma pontuação de 1 a 100 que estima o quão acessível este issue é para colaboradores iniciantes.
80
Direção de pesquisa
Examine lib/index.js lines 41-56 and 209-216. The issue identifies two cases: when origin is a function, Vary should be set (already done); when origin is a string, Vary should not be set. The fix should modify the condition for adding Vary header. No maintainer questions or linked PRs visible.