为什么CORS未命中设置“Vary:Origin”响应? [英] Why isn't 'Vary: Origin' response set on a CORS miss?
问题描述
当进行CORS请求时,如果请求的Origin在允许的源列表中,则响应包含 Access-Control-Allow-Origin 头和 Vary:Origin 标题。
When making a CORS request, if the requested Origin is on the list of allowed origins, the response contains both the Access-Control-Allow-Origin header, and the Vary: Origin header.
变化:原因告诉开始CDN等,响应是基于请求者原始标头值。
The Vary: Origin telling onward CDNs etc that the response was negotiated based on the requestors Origin header value.
问题是(我已经测试了领先的CDN提供程序),是如果请求者没有在他们的请求中提供一个Origin标头,或原始值不是允许的值之一,响应不包括响应中的Vary:Origin。
The issue is (and I've tested the leading CDN providers), is that if the requestor doesn't provide a Origin header in their request, or an Origin value that is not one of the allowed ones, the response does not include the Vary: Origin in the response.
如果CDN总是在响应头中响应Vary:Origin?如果不是CDN会相信它可以为任何Origin值提供相同的响应。再次,可以通过发出许多具有随机原始值的请求来填充CDN缓存。
Should a CDN preforming CORS always respond with Vary: Origin in the response headers? If it doesn't a CDN would believe it can serve the same response to any Origin value. Then again, it would be possible to fill a CDNs cache by making many requests with random origin values.
推荐答案
是的。如果请求可能包含具有不同值的 Access-Control-Allow-Origin ,则CDN应始终以 Vary:Origin ,即使对于没有 Access-Control-Allow-Origin 头的响应。您的分析是正确的:如果标头不总是存在,则可能用不正确的值填充缓存。
Yes. If a request may contain a Access-Control-Allow-Origin with different values, then the CDN should always respond with Vary: Origin, even for responses without an Access-Control-Allow-Origin header. Your analysis is correct: if the header isn't always present, it would be possible to fill the cache with incorrect values.
这篇关于为什么CORS未命中设置“Vary:Origin”响应?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
