On 05/07/18 18:13, Gunnar Brand wrote:

<snip/>
> That aside, setting “Vary: Origin” is of course very bad for caching. But 
> then the CorsFilter should probably only be mapped to APIs called remotely.
> As improvement, since with Bug 62343 allowed.origins = ‘*’ will always set 
> Access-Control-Allow-Origin to '*', if any origin is allowed the filter could 
> help caching by:
> - always setting the access control response headers, i.e. even if not a CORS 
> request (should not have negative effects)
> - not setting “Vary: Origin”
> This would probably greatly improve caching for public APIs that do not rely 
> on credentials.
> Kind of discussed here: https://bugs.eclipse.org/bugs/show_bug.cgi?id=443530 
> 
> A single allowed origin is similar, but alas Access-Control-Allow-Origin 
> headers will differ for this origin and the local origin (set to allowed host 
> / missing) and thus cannot be improved the same way.

I've been looking at how Tomcat's CORS Filter interacts with caching and
have reached the following conclusions.

Caches automatically differentiate by HTTP method and most only consider
caching GET but also cache HEAD and OPTIONS.

INVALID responses are never cached since they do not meet the
requirements of RFC 7234 section 3.

That leaves SIMPLE, PRE_FLIGHT, ACTUAL and NOT_CORS to consider.

For GET or HEAD when anyOriginAllowed is true,
SIMPLE and ACTUAL add the following headers:
- Access-Control-Allow-Origin
- Access-Control-Expose-Headers
PRE_FLIGHT is not applicable to these methods
NOT_CORS adds the following headers:
- None

Therefore, for cache friendliness, we should always add the following
headers for GET and HEAD when anyOriginAllowed is true:
- Access-Control-Allow-Origin
- Access-Control-Expose-Headers

For OPTIONS when anyOriginAllowed is true,
SIMPLE and ACTUAL add the following headers:
- Access-Control-Allow-Origin
- Access-Control-Expose-Headers
PRE_FLIGHT adds the following headers
- Access-Control-Max-Age
- Access-Control-Allow-Methods
- Access-Control-Allow-Headers
NOT_CORS adds the following headers:
- None

With PRE_FLIGHT the response also varies with:
- Access-Control-Request-Headers
- Access-Control-Request-Method

Therefore, for cache correctness we should add
Access-Control-Request-Headers and Access-Control-Request-Method to the
Vary header for all OPTIONS requests.

Therefore, for cache friendliness, we should add the following headers
for OPTIONS requests when anyOriginAllowed is true:
- Access-Control-Allow-Origin
- Access-Control-Expose-Headers
- Access-Control-Max-Age
- Access-Control-Allow-Methods
- Access-Control-Allow-Headers


A sanity check on the above would be appreciated. I hope to implement
the above changes early next week.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to