Open rtshilston opened 3 years ago
At present, the vary header is ONLY set if an inbound request has an appropriate 'origin' value. This isn't compatible with using flask-cors with endpoints that have positive cache-headers.
An example scenario is:
- User 1 requests endpoint without CORS.
- Response is sent with 1hr cache header, and doesn't include a vary header
- User 2 requests endpoint and requires CORS
- Cache responds with cached response to user 1, which fails CORS checks.
This change ensures that if the vary_header flag is set, then it'll always send the header, so that flask-cors can dependably be used with caching.
Hey @rtshilston this scenario should be covered by default with the "always_send" option. It seems like in that scenario it may be correct to return the wildcard. What have you seen?
Hey @corydolphin - thanks for the response. I'm not proposing sending the CORS headers. Instead, always sending "Vary: Origin". I think that's totally safe and compliant with specs. If it's useful for me to build a working test-case, let me know and I'll do that.
At present, the vary header is ONLY set if an inbound request has an appropriate 'origin' value. This isn't compatible with using flask-cors with endpoints that have positive cache-headers.
An example scenario is:
This change ensures that if the vary_header flag is set, then it'll always send the header, so that flask-cors can dependably be used with caching.