CORS breaks with cache proxies and same origin usage.

Created on 23 September 2018, about 6 years ago
Updated 21 August 2023, over 1 year ago

Problem/Motivation

If you use ajax requests from the same origin, CORS support is omitted (for obvious reasons) and no `Origin` key is added to the `Vary` header and naturally the Access-Control-Allow-Origin header is not emitted. However, the request does cache and if a request from another origin is made, it receives the cached item without the CORS data.

Proposed resolution

Technically, every route in Drupal is a CORS route since CORS will activate if an Origin header is passed in the request. So shouldn't the Origin key be added to the Vary response for every Drupal request? That way, upstream caches will variate their cache and miss if the origin header is present or different?

๐Ÿ› Bug report
Status

Needs work

Version

9.5

Component
Request processingย  โ†’

Last updated about 16 hours ago

No maintainer
Created by

๐Ÿ‡ณ๐Ÿ‡ฟNew Zealand Josh Waihi

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024