On 05/07/18 18:13, Gunnar Brand wrote: <snip/>
> I believe that for all URLs the CorsFilter matches, any unique Origin > header’s value is a variant, since the returned access control headers > differ. But also its absence is a variant (allowed headers are missing > altogether) and thus warrants a “Vary: Origin”. I.e. always set this header > unless it’s an invalid CORS request. Agreed. That should be an easy change to make. I'll also review the code to see if we use the Vary header anywhere else that needs a similar tweak. <snip/> > That aside, setting “Vary: Origin” is of course very bad for caching. But > then the CorsFilter should probably only be mapped to APIs called remotely. > As improvement, since with Bug 62343 allowed.origins = ‘*’ will always set > Access-Control-Allow-Origin to '*', if any origin is allowed the filter could > help caching by: > - always setting the access control response headers, i.e. even if not a CORS > request (should not have negative effects) > - not setting “Vary: Origin” > This would probably greatly improve caching for public APIs that do not rely > on credentials. > Kind of discussed here: https://bugs.eclipse.org/bugs/show_bug.cgi?id=443530 My initial thoughts are that this makes sense but I do want to think this through to make sure I haven't missed anything. Thanks for your report. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
