Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Vary header should include Origin header when cors is enabled #533

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 task done
rbozan opened this issue Mar 22, 2025 · 4 comments · Fixed by #534
Closed
1 task done

Vary header should include Origin header when cors is enabled #533

rbozan opened this issue Mar 22, 2025 · 4 comments · Fixed by #534
Labels
bug Something isn't working v2 v2 release
Milestone
v2.36.1

Comments

@rbozan
Copy link

rbozan commented Mar 22, 2025
edited
Loading

Search for duplicate issues

  • I already searched, and this issue is not a duplicate.

Issue scope

Other (specify below)

Describe the bug

The package using CORS should also modify the Vary header to include the Origin header as the response changes based on the Origin header. For example:

~ 
❯ curl 'https://static.learnfeliz.com/objects/suburban/House.glb' \
  -H 'sec-ch-ua-platform: "Android"' \
        -H 'Origin: xyz.com' \                       
  -H 'Referer: http://localhost:5173/' \
  -H 'User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Mobile Safari/537.36' \
  -H 'sec-ch-ua: "Not A(Brand";v="8", "Chromium";v="132", "Google Chrome";v="132"' \
  -H 'DNT: 1' \
  -H 'sec-ch-ua-mobile: ?1' -IL
HTTP/2 200 
date: Sat, 22 Mar 2025 17:37:43 GMT
content-type: model/gltf-binary
content-length: 28748
accept-ranges: bytes
access-control-allow-headers: content-type, authorization, origin
access-control-allow-methods: GET, HEAD, OPTIONS
access-control-allow-origin: xyz.com
access-control-expose-headers: content-type, origin
cache-control: public, max-age=604800, s-maxage=604800, stale-while-revalidate=432000
content-security-policy: frame-ancestors 'self'
last-modified: Sun, 02 Feb 2025 16:07:36 GMT
strict-transport-security: max-age=63072000; includeSubDomains; preload
vary: accept-encoding
x-content-type-options: nosniff
x-frame-options: DENY
cf-cache-status: MISS
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3dPHn1b5FUB3FryKKdHEGPWgIlB94RQFcRekCKH4JD8g1wYsGH9cUdzMkFH2%2BvdDD%2BE2GxVqlnTZDDMVYmpOj8Nk84Ou%2B3oXo8yD%2FOsXWHDbZtvgvkHerMlegZoRMYWlZsbnsOdOFSTmkrdTaGj30kEoyK8%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 92477567284ffe9f-AMS
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=6188&min_rtt=6057&rtt_var=1351&sent=6&recv=8&lost=0&retrans=0&sent_bytes=3433&recv_bytes=1020&delivery_rate=650056&cwnd=253&unsent_bytes=0&cid=3f4c0868dbf530e1&ts=56&x=0"


~ 
❯ curl 'https://static.learnfeliz.com/objects/suburban/House.glb' \
  -H 'sec-ch-ua-platform: "Android"' \
  -H 'Referer: http://localhost:5173/' \
  -H 'User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Mobile Safari/537.36' \
  -H 'sec-ch-ua: "Not A(Brand";v="8", "Chromium";v="132", "Google Chrome";v="132"' \
  -H 'DNT: 1' \
  -H 'sec-ch-ua-mobile: ?1' -IL
HTTP/2 200 
date: Sat, 22 Mar 2025 17:37:52 GMT
content-type: model/gltf-binary


~ 
❯ curl 'https://static.learnfeliz.com/objects/suburban/House.glb' \
  -H 'sec-ch-ua-platform: "Android"' \
        -H 'Origin: foobar.com' \       
  -H 'Referer: http://localhost:5173/' \                                                                                                                
  -H 'User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Mobile Safari/537.36' \
  -H 'sec-ch-ua: "Not A(Brand";v="8", "Chromium";v="132", "Google Chrome";v="132"' \
  -H 'DNT: 1' \                
  -H 'sec-ch-ua-mobile: ?1' -IL
HTTP/2 200 
date: Sat, 22 Mar 2025 17:40:56 GMT
content-type: model/gltf-binary
content-length: 28748
accept-ranges: bytes
access-control-allow-headers: content-type, authorization, origin
access-control-allow-methods: GET, HEAD, OPTIONS
access-control-allow-origin: foobar.com
access-control-expose-headers: content-type, origin
cache-control: public, max-age=604800, s-maxage=604800, stale-while-revalidate=432000
content-security-policy: frame-ancestors 'self'
last-modified: Sun, 02 Feb 2025 16:07:36 GMT
strict-transport-security: max-age=63072000; includeSubDomains; preload
vary: accept-encoding
x-content-type-options: nosniff
x-frame-options: DENY
cf-cache-status: MISS
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qHFe%2FWUKIhsriET3FdSaqP55ceC8E5j5FV3WxLGf3u8dOiav6J5XNVmTL1ELzrO4scprZHZNAbfpJmK7VZqJYFLsWog3YdK3YnC%2BE3htOJsWtjhG0B%2FNx99LZfkT5Orn%2FzResxE42AHtAPHQhVXYJROOXxY%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 92477a1ff89b0e30-AMS
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=5668&min_rtt=5277&rtt_var=2111&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3409&recv_bytes=1021&delivery_rate=519593&cwnd=180&unsent_bytes=0&cid=a3b3ea1f408503d2&ts=69&x=0"

content-length: 28748
accept-ranges: bytes
cache-control: public, max-age=604800, s-maxage=604800, stale-while-revalidate=432000
content-security-policy: frame-ancestors 'self'
last-modified: Sun, 02 Feb 2025 16:07:36 GMT
strict-transport-security: max-age=63072000; includeSubDomains; preload
vary: accept-encoding
x-content-type-options: nosniff
x-frame-options: DENY
age: 2638
cf-cache-status: HIT
report-to: {"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=UrAX3a37N5Bni6sTWHP%2BIb8f6%2F48XN3kHOdcjGexHTwYUbE1X7ebTQg%2ByLajiwl7uVVgtOrb%2FQXFxy1hFfJvwmXWhSmGqS92RDkWTAgN7VsBgy3owHV7JzQ9ZTeHjV8slVcNucLDJDN1QBOj8uY0KE%2Bxp1I%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 924775a00e171cae-AMS
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=5675&min_rtt=4501&rtt_var=1891&sent=6&recv=8&lost=0&retrans=0&sent_bytes=3411&recv_bytes=1006&delivery_rate=762874&cwnd=202&unsent_bytes=0&cid=83091922d76f1690&ts=53&x=0"

How to reproduce it

See above

Expected behavior

It should include the Origin header
@rbozan rbozan added bug Something isn't working v2 v2 release labels Mar 22, 2025
@joseluisq
Copy link
Collaborator

Can you please illustrate better how the Origin header alters the response in SWS when using CORS? Because I'm not seeing the same as you.

@joseluisq
Copy link
Collaborator

joseluisq commented Mar 24, 2025
edited
Loading

Reading a bit further (https://fetch.spec.whatwg.org/#example-vary-origin), I got a better picture of this.

In particular, consider what happens if Vary is not used and a server is configured to send Access-Control-Allow-Origin for a certain resource only in response to a CORS request. When a user agent receives a response to a non-CORS request for that resource (for example, as the result of a navigation request), the response will lack Access-Control-Allow-Origin and the user agent will cache that response. Then, if the user agent subsequently encounters a CORS request for the resource, it will use that cached response from the previous non-CORS request, without Access-Control-Allow-Origin.

But if Vary: Origin is used in the same scenario described above, it will cause the user agent to fetch a response that includes Access-Control-Allow-Origin, rather than using the cached response from the previous non-CORS request that lacks Access-Control-Allow-Origin.

However, if Access-Control-Allow-Origin is set to * or a static origin for a particular resource, then configure the server to always send Access-Control-Allow-Origin in responses for the resource — for non-CORS requests as well as CORS requests — and do not use Vary.

SWS is not doing the later so it has to include the origin in the Vary. So a patch will come soon.

@joseluisq joseluisq mentioned this issue Mar 24, 2025
Merged
@rbozan
Copy link
Author

rbozan commented Mar 24, 2025

Thanks, indeed that's the problem :)

@joseluisq joseluisq added this to the v2.36.1 milestone Mar 24, 2025
@joseluisq
Copy link
Collaborator

Resolved by #534

Thanks for reporting!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working v2 v2 release
Projects
None yet
Milestone
v2.36.1
Development

Successfully merging a pull request may close this issue.

Add missing Origin to the Vary header value when CORS enabled static-web-server/static-web-server
2 participants
@joseluisq @rbozan