Should envoy add "Vary: Origin" response header by default?

[rinfx]

Imagine the following situation:

• My CORS configuration is: Access-Control-Allow-Origin: *.test.com
• Firstly, I open foo.test.com and request a resource from the server, the resource will be cached and the response header Access-Control-Allow-Origin: foo.test.com will be cached together
• Then, I open bar.test.com and request the same resource, the webbrowser find it in cache, however, the Access-Control-Allow-Origin is foo.test.com, does not match bar.test.com, then the webbrowser throw a CORS error.

If envoy add Vary: Origin response header by default, this error can be avoid.

Should envoy add "Vary: Origin" response header by default?

[ggreenway]

cc @wbpcode @daixiang0

[johnlanni]

Yes, I think this is very important. This article introduces this scenario: https://medium.com/@anonrongbo/understanding-the-importance-of-vary-origin-to-prevent-cache-confusion-and-cors-errors-ef3b63046b00

For example, gateways such as Spring Cloud Gateway and Zuul also implement this mechanism.