From a14bc9bebd3544eb3c31670d5e58557eeda79225 Mon Sep 17 00:00:00 2001 From: Matchu Date: Thu, 12 Oct 2023 14:58:26 -0700 Subject: [PATCH] Fix Vary header for CORS Oops, we added behavior that varies the CORS response headers according to the incoming `Origin` header, but we forgot to add `Vary: Origin`! This doesn't cause an issue for the app when you make requests to the server directly, but since it's behind a Fastly cache layer, we ended up caching responses that didn't include CORS headers but should have. Now, this will instruct the Fastly cache to treat requests with different `Origin` headers as being entirely different. (This means we won't be sharing caches between requests from impress-2020 and the Rails app anymore, but that should be okay in practice!) --- src/server/cors.js | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/server/cors.js b/src/server/cors.js index 2f0bd74..eda605d 100644 --- a/src/server/cors.js +++ b/src/server/cors.js @@ -11,4 +11,17 @@ export function applyCORSHeaders(req, res) { res.setHeader("Access-Control-Allow-Methods", "*"); res.setHeader("Access-Control-Allow-Headers", "*"); } + + // Add "Origin" to the `Vary` header, so caches know that the incoming Origin + // header can change the response (specifically, the CORS response headers). + // + // NOTE: In this app, I don't expect "Vary: *" to ever be set. But we try to + // be robust about it, just in case! (Adding instead of overwriting *does* + // matter for the GraphQL endpoint, which sets "Vary: Accept-Encoding".) + const varyContent = res.getHeader("Vary"); + if (varyContent !== "*") { + const varyValues = varyContent ? varyContent.split(/,\s*/) : []; + varyValues.push("Origin"); + res.setHeader("Vary", varyValues.join(", ")); + } }