Added Vary value for CORS in Frontend

refs https://github.com/TryGhost/Toolbox/issues/461

- Having a 'Origin' in vary header value present on each `OPTIONS` allows to correctly bucket "allowed CORS" and "disallowed CORS" responses in shared caches
This commit is contained in:
Naz 2022-11-02 16:20:15 +08:00
parent f581e33400
commit a8ba8cc444
No known key found for this signature in database
3 changed files with 19 additions and 4 deletions

View File

@ -54,4 +54,19 @@ function corsOptionsDelegate(req, callback) {
callback(null, corsOptions);
}
module.exports = cors(corsOptionsDelegate);
/**
*
* @param {Express.Request} req
* @param {Express.Response} res
* @param {Function} next
*/
const handleCaching = (req, res, next) => {
// @NOTE: try to add native support for dynamic 'vary' header value in 'cors' module
res.vary('Origin');
next();
};
module.exports = [
cors(corsOptionsDelegate),
handleCaching
];

View File

@ -108,7 +108,7 @@ describe('OPTIONS requests', function () {
.expect(200);
assert.equal(res.headers['cache-control'], 'public, max-age=0');
assert.equal(res.headers.vary, 'Accept-Encoding');
assert.equal(res.headers.vary, 'Origin, Accept-Encoding');
assert.equal(res.headers.allow, 'POST,GET,HEAD');
});
@ -119,7 +119,7 @@ describe('OPTIONS requests', function () {
.expect(200);
assert.equal(res.headers['cache-control'], 'public, max-age=0');
assert.equal(res.headers.vary, 'Accept-Encoding');
assert.equal(res.headers.vary, 'Origin, Accept-Encoding');
assert.equal(res.headers.allow, 'POST,GET,HEAD');
});
});