The Vary HTTP response header is useful to ensure proper caching of CORS responses and prevent cache poisoning. However, it comes with a downside: (potentially significantly) increasing the cache size, since each client's origin will create a different cached value.
The standard mentions:
If Access-Control-Allow-Origin is set to * or a static origin for a particular resource, then configure the server to always send Access-Control-Allow-Origin in responses for the resource — for non-CORS requests as well as CORS requests — and do not use Vary.
In other words, if the CORS response is always the same regardless of the Origin request header, Vary: Origin should not be set. Currently, this module mostly gets it right except in two cases:
- If the
origin option is a function, regardless of the return value of that function (including '*'), Vary: Origin should be set, since that function might (and most likely did) use the Origin request header.
|
var originCallback = null; |
|
if (corsOptions.origin && typeof corsOptions.origin === 'function') { |
|
originCallback = corsOptions.origin; |
|
} else if (corsOptions.origin) { |
|
originCallback = function (origin, cb) { |
|
cb(null, corsOptions.origin); |
|
}; |
|
} |
|
if (!options.origin || options.origin === '*') { |
|
// allow any origin |
|
headers.push([{ |
|
key: 'Access-Control-Allow-Origin', |
|
value: '*' |
|
}]); |
- If the
origin option is a string, Vary: Origin should not be set, since Access-Control-Allow-Origin is always the same value, and the Origin request header is ignored.
|
} else if (isString(options.origin)) { |
|
// fixed origin |
|
headers.push([{ |
|
key: 'Access-Control-Allow-Origin', |
|
value: options.origin |
|
}]); |
|
headers.push([{ |
|
key: 'Vary', |
|
value: 'Origin' |
|
}]); |
The
VaryHTTP response header is useful to ensure proper caching of CORS responses and prevent cache poisoning. However, it comes with a downside: (potentially significantly) increasing the cache size, since each client's origin will create a different cached value.The standard mentions:
In other words, if the CORS response is always the same regardless of the
Originrequest header,Vary: Originshould not be set. Currently, this module mostly gets it right except in two cases:originoption is a function, regardless of the return value of that function (including'*'),Vary: Originshould be set, since that function might (and most likely did) use theOriginrequest header.cors/lib/index.js
Lines 209 to 216 in 53312a5
cors/lib/index.js
Lines 41 to 46 in 53312a5
originoption is a string,Vary: Originshould not be set, sinceAccess-Control-Allow-Originis always the same value, and theOriginrequest header is ignored.cors/lib/index.js
Lines 47 to 56 in 53312a5