Fix Vary header for CORS
Oops, we added behavior that varies the CORS response headers according to the incoming `Origin` header, but we forgot to add `Vary: Origin`! This doesn't cause an issue for the app when you make requests to the server directly, but since it's behind a Fastly cache layer, we ended up caching responses that didn't include CORS headers but should have. Now, this will instruct the Fastly cache to treat requests with different `Origin` headers as being entirely different. (This means we won't be sharing caches between requests from impress-2020 and the Rails app anymore, but that should be okay in practice!)
This commit is contained in:
parent
e31a79e793
commit
a14bc9bebd
1 changed files with 13 additions and 0 deletions
|
|
@ -11,4 +11,17 @@ export function applyCORSHeaders(req, res) {
|
|||
res.setHeader("Access-Control-Allow-Methods", "*");
|
||||
res.setHeader("Access-Control-Allow-Headers", "*");
|
||||
}
|
||||
|
||||
// Add "Origin" to the `Vary` header, so caches know that the incoming Origin
|
||||
// header can change the response (specifically, the CORS response headers).
|
||||
//
|
||||
// NOTE: In this app, I don't expect "Vary: *" to ever be set. But we try to
|
||||
// be robust about it, just in case! (Adding instead of overwriting *does*
|
||||
// matter for the GraphQL endpoint, which sets "Vary: Accept-Encoding".)
|
||||
const varyContent = res.getHeader("Vary");
|
||||
if (varyContent !== "*") {
|
||||
const varyValues = varyContent ? varyContent.split(/,\s*/) : [];
|
||||
varyValues.push("Origin");
|
||||
res.setHeader("Vary", varyValues.join(", "));
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue