Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is the Vary header necessary for non-cacheable CORS requests? #28

Closed
yinheli opened this issue Sep 9, 2024 · 5 comments
Closed

Is the Vary header necessary for non-cacheable CORS requests? #28

yinheli opened this issue Sep 9, 2024 · 5 comments
Labels
question Further information is requested

Comments

@yinheli
Copy link

yinheli commented Sep 9, 2024

Is it necessary to include the Vary header in responses to non-CORS requests that wouldn't be cached anyway?
For example, if the request is a POST or PUT request, which are typically not cached,
do we still need to respond with "Vary: Origin"? Personally, I don't think it's particularly necessary.

Related information:

#24
#25

@barryvdh
Copy link
Member

barryvdh commented Sep 9, 2024

Are there downside to adding the Vary header?

@yinheli
Copy link
Author

yinheli commented Sep 9, 2024

It doesn't seem very elegant and returns not very useful/necessary information.

@yinheli
Copy link
Author

yinheli commented Sep 11, 2024

I have a project that previously used a custom CORS implementation, which was quite standardized. However, we are planning to migrate to Laravel's built-in CORS implementation, which is essentially based on php-cors. We decided to abandon our self-developed implementation mainly to reduce the maintenance cost of our codebase. Using the official standard implementation will be more intuitive and clear.

The Vary header handling in php-cors is quite simplistic, adding it to all paths that support cross-origin requests, regardless of whether it is truly needed. For example, it adds the Vary header to non-cached POST requests. This has caused thousands of our unit tests to fail, so I am considering proposing an enhancement to php-cors to avoid adding the Vary header for non-CORS requests that wouldn't be cached anyway.

Can I submit a PR to address this issue? Or if you have any other suggestions, please let me know. Thanks.

@barryvdh
Copy link
Member

Well you could just add a Middleware behind CORS to remove the VARY head on non-GET requests.

@barryvdh
Copy link
Member

I think it's according to the specs now. Please let me know if there is a resource explaining otherwise.

@barryvdh barryvdh added the question Further information is requested label Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants