Menu
I would like to know how browsers handle CORS Preflight response that includes both Vary: Origin and Access-Control-Max-Age headers.
This statement is from https://www.w3.org/TR/cors/
Resources that wish to enable themselves to be shared with multiple Origins but do not respond uniformly with "*" must in practice generate the Access-Control-Allow-Origin header dynamically in response to every request they wish to allow. As a consequence, authors of such resources should send a Vary: Origin HTTP header or provide other appropriate control directives to prevent caching of such responses, which may be inaccurate if re-used across-origins
From this statement I understand Vary: Origin will tell browsers prevent a cache of Preflight response (In case allow-origin: * not used)
Access-Control-Max-Age will tell browsers will cache preflight response for a period.
The questions:
Is it valid if both of the headers exist in a preflight response?
How browsers handle Preflight response if the response includes both that headers?
Thanks!
745
CORS caching for browsers Browser limit this: Firefox caps the value at 86400 (24 hours) while all Chromium-based browsers cap it at 7200 (2 hours).
A CORS preflight OPTIONS request can be triggered just by adding a Content-Type header to a request — if the value's anything except application/x-www-form-urlencoded , text/plain , or multipart/form-data .
A CORS preflight request is a CORS request that checks to see if the CORS protocol is understood and a server is aware using specific methods and headers. It is an OPTIONS request, using three HTTP request headers: Access-Control-Request-Method , Access-Control-Request-Headers , and the Origin header.
Per the spec requirements Vary: Origin won’t affect behavior of the CORS-preflight cache.
Is it valid if both of the headers exist in a preflight response?
Yes it’s valid. But if the Vary header is present, it has no affect on the CORS-preflight cache.
How browsers handle Preflight response if the response includes both that headers
For the CORS-preflight cache, browsers completely ignore the Vary header and only use the value of the Access-Control-Max-Age header.
my understand is Vary: Origin will tell browsers won't cache preflight result
That’s not what the requirements in the Fetch spec say.
The CORS-preflight cache isn’t a general HTTP cache covered by requirements in the HTTP spec. It’s a special cache whose behavior is defined exclusively by the Fetch spec. And the Fetch spec doesn’t state any requirements—even indirectly—about the behavior of the CORS-preflight cache being affected at all by the Vary response header.
Instead the Fetch spec says just this:
Let max-age be the result of extracting header list values given
Access-Control-Max-Ageand response’s header list.
That doesn’t say anything about checking the Vary header value before setting max-age.
And because the spec doesn’t explicitly state if/how to use Vary when deciding whether to populate the CORS-preflight cache, then browsers must not use Vary when doing it.
If a browser did use Vary in its handling of the CORS-preflight cache, then that browser would be out of conformance with the spec requirements for the CORS-preflight cache.
171
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
