Always add Vary even for non CORS requests

opendatateam / udata

Customizable and skinnable social platform dedicated to open data.

http://udata.readthedocs.org

GNU Affero General Public License v3.0

239 stars 87 forks source link

Always add Vary even for non CORS requests #3132

Closed ThibaudDauce closed 2 months ago

ThibaudDauce commented 2 months ago

If the first request doesn't have an Origin we don't set the Vary: Origin so Nginx put the response in cache. Then if a cross origin request the same URL, Nginx returns the same response without the Access-Control-Allow-Origin.

The other solution could be to always return Access-Control-Allow-Origin: * for all API route instead of dynamic responding with the Access-Control-Allow-Origin: doc.data.gouv.fr for each origin.

ThibaudDauce commented 2 months ago

No it just indicate to Nginx to cache by the origin header. So if two request with the same Origin header are sent, Nginx is allowed to reuse the cached response (as I understand it)

maudetes commented 2 months ago

Perfect, then! Thank you