corydolphin
Enable flask-cors to work well with CDNs and caches
At present, the vary header is ONLY set if an inbound request has an appropriate 'origin' value. This isn't compatible with using flask-cors with endpoints that have positive cache-headers.
An example scenario is:
- User 1 requests endpoint without CORS.
- Response is sent with 1hr cache header, and doesn't include a vary header
- User 2 requests endpoint and requires CORS
- Cache responds with cached response to user 1, which fails CORS checks.
This change ensures that if the vary_header flag is set, then it'll always send the header, so that flask-cors can dependably be used with caching.
At present, the vary header is ONLY set if an inbound request has an appropriate 'origin' value. This isn't compatible with using flask-cors with endpoints that have positive cache-headers.
An example scenario is:
- User 1 requests endpoint without CORS.
- Response is sent with 1hr cache header, and doesn't include a vary header
- User 2 requests endpoint and requires CORS
- Cache responds with cached response to user 1, which fails CORS checks.
This change ensures that if the vary_header flag is set, then it'll always send the header, so that flask-cors can dependably be used with caching.
Hey @rtshilston this scenario should be covered by default with the "always_send" option. It seems like in that scenario it may be correct to return the wildcard. What have you seen?
Hey @corydolphin - thanks for the response. I'm not proposing sending the CORS headers. Instead, always sending "Vary: Origin". I think that's totally safe and compliant with specs. If it's useful for me to build a working test-case, let me know and I'll do that.