Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(cors) set missing vary=origin #3765

Merged
merged 4 commits into from
Oct 4, 2018
Merged

fix(cors) set missing vary=origin #3765

merged 4 commits into from
Oct 4, 2018

Conversation

marckhouzam
Copy link
Contributor

When Access-Control-Allow-Origin is not *, the cors plugins normally
sets Vary=Origin. In the case where the plugin sets
Access-Control-Allow-Credentials the Vary=Origin is missing.

When that happens, the browser is told to uses its cache even when the
origin is different and then CORS fails by rejecting the non-matching
origin.

@marckhouzam
fix(cors) set missing vary=origin
91ec0db 
When Access-Control-Allow-Origin is not *, the cors plugins normally
sets Vary=Origin.  In the case where the plugin sets
Access-Control-Allow-Credentials the Vary=Origin is missing.

When that happens, the browser is told to uses its cache even when the
origin is different and then CORS fails by rejecting the non-matching
origin.
@thibaultcha
Copy link
Member

@marckhouzam Thank you for the patch! Would you mind adding a test for this fix as well? We would need it in order for us to merge your PR. Thank you :)

@marckhouzam
Copy link
Contributor Author

I'll give it a try.

@thibaultcha thibaultcha added the pr/wip A work in progress PR opened to receive feedback label Sep 13, 2018
@nijikokun
Copy link
Contributor

nijikokun commented Sep 20, 2018
edited
Loading

We should review this further before allowing it to go through as there are implications when it isn't the origin. This blog post describes it:

https://www.fastly.com/blog/caching-cors

In fact vary could be it's own plugin or within some "browser cache" plugin.

@marckhouzam
Copy link
Contributor Author

@nijikokun I read through the documentations you posted and it does look like the cache handling through the use of Vary could be improved. However, I am thinking that currently the CORS plugin has a bug in its handling of the cache when credentials=true and this PR has value in fixing that. What do you think?

With that in mind, I modified the CORS tests in a second commit. After looking at the existing tests for the cors plugin, I thought that adding a check in the different relevant tests for header Vary=Origin would cover the most ground. Since there was already a test where credentials=true, then checking for Vary=Origin in there shows that the test fails with the current master branch while it passes once my PR is applied.

I could add an is_nil() check for header Vary in all the other CORS tests if you would like.

Thanks

@marckhouzam
Copy link
Contributor Author

Any comments on this updated PR?
Thanks!

@thibaultcha
Copy link
Member

Thanks @marckhouzam, we'll have a look at it soon!

thibaultcha
thibaultcha approved these changes Oct 1, 2018
View reviewed changes
Copy link
Member

@thibaultcha thibaultcha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I agree with your statement @marckhouzam:

it does look like the cache handling through the use of Vary could be improved.

And furthermore:

However, I am thinking that currently the CORS plugin has a bug in its handling of the cache when credentials=true and this PR has value in fixing that.

Yes, this is entirely in the scope of this PR, and the point you previously raised can be addressed in a subsequent improvement (for which we would welcome another PR, of course!).

I could add an is_nil() check for header Vary in all the other CORS tests if you would like.

If you have time for it, that would be great! Approving it, but waiting on it before merging.

Thanks again!

@thibaultcha thibaultcha added pr/ready (but hold merge) No more concerns, but do not merge yet (probably a conflict of interest with another PR or release) and removed pr/wip A work in progress PR opened to receive feedback labels Oct 1, 2018
@marckhouzam
Copy link
Contributor Author

Thanks for approving!

Here are the extra changes to the tests. There was a couple Vary=Origin checks missing, and then I added the is_nil() for header Vary.

Thanks!

@thibaultcha thibaultcha merged commit acdd89d into Kong:master Oct 4, 2018
@thibaultcha
Copy link
Member

@marckhouzam Thank you!

Btw, feel free to claim your contributor T-shirt now that your first PR has been merged :)

@marckhouzam
Copy link
Contributor Author

Thanks for the quick turnaround!
It makes it a great experience to contribute to your project.

@marckhouzam marckhouzam deleted the fix/cors-vary-origin branch October 4, 2018 22:56
xiejiangzhi pushed a commit to thecarevoice/kong that referenced this pull request Oct 17, 2018
@marckhouzam @xiejiangzhi
fix(cors) set 'Vary: Origin' when ACAC is enabled
04a7268 
When Access-Control-Allow-Origin is not *, the cors plugin
normally sets `Vary: Origin`. In the case when the plugin sets
Access-Control-Allow-Credentials, `Vary: Origin` is missing.

When that happens, the browser is told to uses its cache even
when the origin is different and then CORS fails by rejecting the
non-matching origin.

From Kong#3765
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thibaultcha thibaultcha thibaultcha approved these changes

Assignees
No one assigned
Labels
pr/ready (but hold merge) No more concerns, but do not merge yet (probably a conflict of interest with another PR or release)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@marckhouzam @thibaultcha @nijikokun