Open rinfx opened 2 weeks ago
cc @wbpcode @daixiang0
Yes, I think this is very important. This article introduces this scenario: https://medium.com/@anonrongbo/understanding-the-importance-of-vary-origin-to-prevent-cache-confusion-and-cors-errors-ef3b63046b00
For example, gateways such as Spring Cloud Gateway and Zuul also implement this mechanism.
Imagine the following situation:
Access-Control-Allow-Origin: *.test.com
foo.test.com
and request a resource from the server, the resource will be cached and the response headerAccess-Control-Allow-Origin: foo.test.com
will be cached togetherbar.test.com
and request the same resource, the webbrowser find it in cache, however, theAccess-Control-Allow-Origin
isfoo.test.com
, does not matchbar.test.com
, then the webbrowser throw a CORS error.If envoy add
Vary: Origin
response header by default, this error can be avoid.Should envoy add "Vary: Origin" response header by default?