Matchu
a14bc9bebd
Oops, we added behavior that varies the CORS response headers according to the incoming `Origin` header, but we forgot to add `Vary: Origin`! This doesn't cause an issue for the app when you make requests to the server directly, but since it's behind a Fastly cache layer, we ended up caching responses that didn't include CORS headers but should have. Now, this will instruct the Fastly cache to treat requests with different `Origin` headers as being entirely different. (This means we won't be sharing caches between requests from impress-2020 and the Rails app anymore, but that should be okay in practice!)
27 lines
1 KiB
JavaScript
27 lines
1 KiB
JavaScript
const ALLOWED_CORS_ORIGINS = [
|
|
"https://beta.impress.openneo.net",
|
|
"https://impress.openneo.net",
|
|
"http://localhost:3000",
|
|
];
|
|
|
|
export function applyCORSHeaders(req, res) {
|
|
const origin = req.headers["origin"];
|
|
if (ALLOWED_CORS_ORIGINS.includes(origin)) {
|
|
res.setHeader("Access-Control-Allow-Origin", origin);
|
|
res.setHeader("Access-Control-Allow-Methods", "*");
|
|
res.setHeader("Access-Control-Allow-Headers", "*");
|
|
}
|
|
|
|
// Add "Origin" to the `Vary` header, so caches know that the incoming Origin
|
|
// header can change the response (specifically, the CORS response headers).
|
|
//
|
|
// NOTE: In this app, I don't expect "Vary: *" to ever be set. But we try to
|
|
// be robust about it, just in case! (Adding instead of overwriting *does*
|
|
// matter for the GraphQL endpoint, which sets "Vary: Accept-Encoding".)
|
|
const varyContent = res.getHeader("Vary");
|
|
if (varyContent !== "*") {
|
|
const varyValues = varyContent ? varyContent.split(/,\s*/) : [];
|
|
varyValues.push("Origin");
|
|
res.setHeader("Vary", varyValues.join(", "));
|
|
}
|
|
}
|