Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why isn't 'Vary: Origin' response set on a CORS miss?

Tags:

When making a CORS request, if the requested Origin is on the list of allowed origins, the response contains both the Access-Control-Allow-Origin header, and the Vary: Origin header.

The Vary: Origin telling onward CDNs etc that the response was negotiated based on the requestors Origin header value.

The issue is (and I've tested the leading CDN providers), is that if the requestor doesn't provide a Origin header in their request, or an Origin value that is not one of the allowed ones, the response does not include the Vary: Origin in the response.

Should a CDN preforming CORS always respond with Vary: Origin in the response headers? If it doesn't a CDN would believe it can serve the same response to any Origin value. Then again, it would be possible to fill a CDNs cache by making many requests with random origin values.

like image 627
simbolo Avatar asked Aug 15 '14 15:08

simbolo

People also ask

How do you fix CORS missing Allow origin?

If the server is under your control, add the origin of the requesting site to the set of domains permitted access by adding it to the Access-Control-Allow-Origin header's value. You can also configure a site to allow any site to access it by using the * wildcard. You should only use this for public APIs.

What happens if Access-Control allow origin is not set?

So, What is This Error Then? This error occurs when a script on your website/web app attempts to make a request to a resource that isn't configured to accept requests coming from code that doesn't come from the same (sub)domain, thus violating the Same-Origin policy.

How do you allow all origins in CORS?

Access-Control-Allow-Origin is a CORS (Cross-Origin Resource Sharing) header. When Site A tries to fetch content from Site B, Site B can send an Access-Control-Allow-Origin response header to tell the browser that the content of this page is accessible to certain origins.

What does vary origin do?

Vary: Origin When a user agent receives a response to a non-CORS request for that resource (for example, as the result of a navigation request), the response will lack `Access-Control-Allow-Origin` and the user agent will cache that response.

1 Answers

Yes. If a request may contain a Access-Control-Allow-Origin with different values, then the CDN should always respond with Vary: Origin, even for responses without an Access-Control-Allow-Origin header. Your analysis is correct: if the header isn't always present, it would be possible to fill the cache with incorrect values.

like image 63
monsur Avatar answered Sep 22 '22 10:09

monsur
Sign in to Comment

Related questions

Mockito; verify method was called with list, ignore order of elements in list
Understanding AWS ELB Latency
Is using "this" for all member functions and attributes bad practice? [closed]
Reverting push to remote with sourcetree
Promises: Repeat operation until it succeeds?
How to handle the Ripple effect on 9-patch and CardView, and have control over the states of the selector?
TypeError: $(...).typeahead is not a function
Can you make mockito (1.10.17) work with default methods in interfaces?
How to uninstall ruby installed by ruby-install
Hangfire dependency injection lifetime scope
Why does "%-d", or "%-e" remove the leading space or zero?
How do I delete my Google Cloud Platform Account?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!