Skip to content

Fix: Always set Vary: Origin header according to CORS spec to avoid caching issues #348

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Fix: Always set Vary: Origin header according to CORS spec to avoid caching issues #348

wants to merge 3 commits into from

Conversation

arashkyadegar
Copy link

What does this PR do?

This PR fixes a subtle issue with the handling of the Vary: Origin response header in the CORS middleware (cors/lib/index.js).
Currently, the Vary: Origin header is not set when the Origin request header is missing (i.e., non-CORS requests), which can cause incorrect caching behavior in user agents.

Why is this needed?

According to the CORS specification and best practices, the Vary: Origin header must always be set whenever the server’s response varies based on the Origin header—even if the Origin header is absent in the request.
If Vary: Origin is missing, browsers may cache a non-CORS response without the Access-Control-Allow-Origin header, and then incorrectly reuse that cached response for subsequent CORS requests, leading to failed cross-origin requests.

This PR ensures that Vary: Origin is consistently set in all cases where CORS logic depends on the Origin header, preventing this caching issue.

This behavior is aligned with discussions and recommendations in the official CORS specification and issues like #332.

How to test?

  1. Send a non-CORS request (without the Origin header) to the server.
  2. Confirm that the response includes the Vary: Origin header.
  3. Send a CORS request (with the Origin header).
  4. Confirm that the correct Access-Control-Allow-Origin header is present and the response is not cached incorrectly.

Checklist

  • Code changes follow project style
  • Tested behavior for both CORS and non-CORS requests
  • Documentation updated (if applicable)

Thanks for reviewing! Please let me know if you’d like me to adjust or expand anything.

@UlisesGascon
Copy link
Member

Thanks for the proposal @arashkyadegar! I was checking the CI and as we are compatible with [email protected] we need to use and older syntax that does not allows to use Array.prototype.includes: https://github.com/expressjs/cors/actions/runs/15032761467/job/42287929600?pr=348

@arashkyadegar
Copy link
Author

Thanks for the feedback! I’ve updated the code to avoid using Array.prototype.includes for Node 0.x compatibility. Please let me know if there’s anything else that needs adjustment.

@arashkyadegar
fix: replace Array.prototype.includes with older syntax for Node 0.x
47fbf4d 
compatibility

The previous use of Array.prototype.includes is not supported in Node
0.x.
Replaced it with a compatible alternative to ensure CI passes and
maintain backward compatibility.
@arashkyadegar
Copy link
Author

Hello, just wanted to check in on this PR. Let me know if there's anything you'd like me to update or clarify. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@arashkyadegar @UlisesGascon