On 05/07/18 18:13, Gunnar Brand wrote: <snip/>
> That aside, setting “Vary: Origin” is of course very bad for caching. But > then the CorsFilter should probably only be mapped to APIs called remotely. > As improvement, since with Bug 62343 allowed.origins = ‘*’ will always set > Access-Control-Allow-Origin to '*', if any origin is allowed the filter could > help caching by: > - always setting the access control response headers, i.e. even if not a CORS > request (should not have negative effects) > - not setting “Vary: Origin” > This would probably greatly improve caching for public APIs that do not rely > on credentials. > Kind of discussed here: https://bugs.eclipse.org/bugs/show_bug.cgi?id=443530 > > A single allowed origin is similar, but alas Access-Control-Allow-Origin > headers will differ for this origin and the local origin (set to allowed host > / missing) and thus cannot be improved the same way. I've been looking at how Tomcat's CORS Filter interacts with caching and have reached the following conclusions. Caches automatically differentiate by HTTP method and most only consider caching GET but also cache HEAD and OPTIONS. INVALID responses are never cached since they do not meet the requirements of RFC 7234 section 3. That leaves SIMPLE, PRE_FLIGHT, ACTUAL and NOT_CORS to consider. For GET or HEAD when anyOriginAllowed is true, SIMPLE and ACTUAL add the following headers: - Access-Control-Allow-Origin - Access-Control-Expose-Headers PRE_FLIGHT is not applicable to these methods NOT_CORS adds the following headers: - None Therefore, for cache friendliness, we should always add the following headers for GET and HEAD when anyOriginAllowed is true: - Access-Control-Allow-Origin - Access-Control-Expose-Headers For OPTIONS when anyOriginAllowed is true, SIMPLE and ACTUAL add the following headers: - Access-Control-Allow-Origin - Access-Control-Expose-Headers PRE_FLIGHT adds the following headers - Access-Control-Max-Age - Access-Control-Allow-Methods - Access-Control-Allow-Headers NOT_CORS adds the following headers: - None With PRE_FLIGHT the response also varies with: - Access-Control-Request-Headers - Access-Control-Request-Method Therefore, for cache correctness we should add Access-Control-Request-Headers and Access-Control-Request-Method to the Vary header for all OPTIONS requests. Therefore, for cache friendliness, we should add the following headers for OPTIONS requests when anyOriginAllowed is true: - Access-Control-Allow-Origin - Access-Control-Expose-Headers - Access-Control-Max-Age - Access-Control-Allow-Methods - Access-Control-Allow-Headers A sanity check on the above would be appreciated. I hope to implement the above changes early next week. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org