CloudFront cache key should include Origin header when using REFLECT_ORIGIN

samvera / serverless-iiif

IIIF Image API 2.1 & 3.0 server in an AWS Serverless Application

https://samvera.github.io/serverless-iiif/

Apache License 2.0

69 stars 21 forks source link

CloudFront cache key should include Origin header when using REFLECT_ORIGIN #110

Closed mbklein closed 1 year ago

mbklein commented 1 year ago

When using the REFLECT_ORIGIN CORS setting, The Origin request header needs to be part of CloudFront's cache key to prevent different origins getting each other's CORS responses.

The better way to handle this would be with a viewer-response function, but since we currently allow those to be configurable at deploy time, overriding that would be a breaking change. We can consider that for a future major release.

mbklein commented 1 year ago

This approach is inconsistent with allowing a custom CachePolicyID, which makes it a breaking change as well. Closing.