-
-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is the Vary header necessary for non-cacheable CORS requests? #28
Comments
Are there downside to adding the Vary header? |
It doesn't seem very elegant and returns not very useful/necessary information. |
I have a project that previously used a custom CORS implementation, which was quite standardized. However, we are planning to migrate to Laravel's built-in CORS implementation, which is essentially based on php-cors. We decided to abandon our self-developed implementation mainly to reduce the maintenance cost of our codebase. Using the official standard implementation will be more intuitive and clear. The Vary header handling in php-cors is quite simplistic, adding it to all paths that support cross-origin requests, regardless of whether it is truly needed. For example, it adds the Vary header to non-cached POST requests. This has caused thousands of our unit tests to fail, so I am considering proposing an enhancement to php-cors to avoid adding the Vary header for non-CORS requests that wouldn't be cached anyway. Can I submit a PR to address this issue? Or if you have any other suggestions, please let me know. Thanks. |
Well you could just add a Middleware behind CORS to remove the VARY head on non-GET requests. |
I think it's according to the specs now. Please let me know if there is a resource explaining otherwise. |
Is it necessary to include the Vary header in responses to non-CORS requests that wouldn't be cached anyway?
For example, if the request is a POST or PUT request, which are typically not cached,
do we still need to respond with "Vary: Origin"? Personally, I don't think it's particularly necessary.
Related information:
#24
#25
The text was updated successfully, but these errors were encountered: