Please clarify the use of the Vary header in examples

[jub0bs]

Examples 2 and 3 both use the Vary header in the response to the preflight request:

Vary: Origin

Could you clarify your decision to include that header in the response, as well as motivate its value (Origin)?

Although responses to OPTIONS requests are not supposed to be cached (outside browsers' preflight cache, of course), some questionable Web caches do allow users to cache such responses. In that case, it would make sense to specify a Vary header in responses to preflight requests.

However, in that case, shouldn't Access-Control-Request-Method, Access-Control-Request-Headers, and Access-Control-Request-Private-Network also be listed in the Vary header? Unless those three request headers do not affect the response, they would become part of the cache-poisoning attack surface if they're not listed in the Vary header.

Under the assumption that a Web cache is in place and caches responses to preflight requests, I would have expected

Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers, Access-Control-Request-Private-Network

Otherwise, I wouldn't expect the need for any Vary header at all.

[letitz]

I tend to agree. Appealing to @mikewest who wrote these examples. WDYT?

[mikewest]

I don't remember any specific reason for including the header in the example. Removing it sounds fine to me.

[letitz]

Thanks! I'll land a fix.