BZ61101: CORS filter should set Vary header in response. Submitted by…

… Rick Riemer. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1795813 13f79535-47bb-0310-9956-ffa450edef68
apache · May 22, 2017 · b94478d · b94478d
1 parent 5edb50d
commit b94478d
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/java/org/apache/catalina/filters/CorsFilter.java b/java/org/apache/catalina/filters/CorsFilter.java
@@ -277,6 +277,10 @@ protected void handleSimpleCORS(final HttpServletRequest request,
                     exposedHeadersString);
         }
 
+        // Indicate the response depends on the origin
+        response.addHeader(CorsFilter.REQUEST_HEADER_VARY,
+                CorsFilter.REQUEST_HEADER_ORIGIN);
+
         // Forward the request down the filter chain.
         filterChain.doFilter(request, response);
     }
@@ -966,6 +970,13 @@ public Collection<String> getAllowedHttpHeaders() {
             "Access-Control-Allow-Headers";
 
     // -------------------------------------------------- CORS Request Headers
+
+    /**
+     * The Vary header indicates allows disabling proxy caching by indicating
+     * the the response depends on the origin.
+     */
+    public static final String REQUEST_HEADER_VARY = "Vary";
+
     /**
      * The Origin header indicates where the cross-origin request or preflight
      * request originates from.

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -57,6 +57,10 @@
         <code>o.a.c.connector.CoyoteAdapter#parseSessionCookiesId</code>.
         Patch provided by John Andrew (XUZHOUWANG) via Github. (violetagg)
       </fix>
+      <fix>
+        <bug>61101</bug>: CORS filter should set Vary header in response.
+        Submitted by Rick Riemer. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">