Fix Vary header for CORS
Oops, we added behavior that varies the CORS response headers according to the incoming `Origin` header, but we forgot to add `Vary: Origin`! This doesn't cause an issue for the app when you make requests to the server directly, but since it's behind a Fastly cache layer, we ended up caching responses that didn't include CORS headers but should have. Now, this will instruct the Fastly cache to treat requests with different `Origin` headers as being entirely different. (This means we won't be sharing caches between requests from impress-2020 and the Rails app anymore, but that should be okay in practice!)
This commit is contained in:
parent
e31a79e793
commit
a14bc9bebd
1 changed files with 13 additions and 0 deletions
|
|
@ -11,4 +11,17 @@ export function applyCORSHeaders(req, res) {
|
||||||
res.setHeader("Access-Control-Allow-Methods", "*");
|
res.setHeader("Access-Control-Allow-Methods", "*");
|
||||||
res.setHeader("Access-Control-Allow-Headers", "*");
|
res.setHeader("Access-Control-Allow-Headers", "*");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Add "Origin" to the `Vary` header, so caches know that the incoming Origin
|
||||||
|
// header can change the response (specifically, the CORS response headers).
|
||||||
|
//
|
||||||
|
// NOTE: In this app, I don't expect "Vary: *" to ever be set. But we try to
|
||||||
|
// be robust about it, just in case! (Adding instead of overwriting *does*
|
||||||
|
// matter for the GraphQL endpoint, which sets "Vary: Accept-Encoding".)
|
||||||
|
const varyContent = res.getHeader("Vary");
|
||||||
|
if (varyContent !== "*") {
|
||||||
|
const varyValues = varyContent ? varyContent.split(/,\s*/) : [];
|
||||||
|
varyValues.push("Origin");
|
||||||
|
res.setHeader("Vary", varyValues.join(", "));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue