envoyproxy
Should envoy add "Vary: Origin" response header by default?
Imagine the following situation:
- My CORS configuration is:
Access-Control-Allow-Origin: *.test.com - Firstly, I open
foo.test.comand request a resource from the server, the resource will be cached and the response headerAccess-Control-Allow-Origin: foo.test.comwill be cached together - Then, I open
bar.test.comand request the same resource, the webbrowser find it in cache, however, theAccess-Control-Allow-Originisfoo.test.com, does not matchbar.test.com, then the webbrowser throw a CORS error.
If envoy add Vary: Origin response header by default, this error can be avoid.
Should envoy add "Vary: Origin" response header by default?
Yes, I think this is very important. This article introduces this scenario: https://medium.com/@anonrongbo/understanding-the-importance-of-vary-origin-to-prevent-cache-confusion-and-cors-errors-ef3b63046b00
For example, gateways such as Spring Cloud Gateway and Zuul also implement this mechanism.
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.