26

When making a CORS request, if the requested Origin is on the list of allowed origins, the response contains both the Access-Control-Allow-Origin header, and the Vary: Origin header.

The Vary: Origin telling onward CDNs etc that the response was negotiated based on the requestors Origin header value.

The issue is (and I've tested the leading CDN providers), is that if the requestor doesn't provide a Origin header in their request, or an Origin value that is not one of the allowed ones, the response does not include the Vary: Origin in the response.

Should a CDN preforming CORS always respond with Vary: Origin in the response headers? If it doesn't a CDN would believe it can serve the same response to any Origin value. Then again, it would be possible to fill a CDNs cache by making many requests with random origin values.

simbolo
  • 7,279
  • 6
  • 56
  • 96

1 Answers1

32

Yes. If a request may contain a Access-Control-Allow-Origin with different values, then the CDN should always respond with Vary: Origin, even for responses without an Access-Control-Allow-Origin header. Your analysis is correct: if the header isn't always present, it would be possible to fill the cache with incorrect values.

monsur
  • 45,581
  • 16
  • 101
  • 95
  • Just what I thought. I was doubting myself as Amazon CloudFront and Azure CDN only return Vary: Origin when the Origin is present and matches, and otherwise ignores it. Only Google outputs Vary: Origin for every request. I wonder why there is so little about this issue on the web? – simbolo Aug 15 '14 at 16:22
  • 2
    It doesn't come up very often (since there are fewer CORS implementations that whitelist origins, most just use *), and when it does, it is difficult to debug. I have a section on this in CORS in Action. – monsur Aug 15 '14 at 16:31
  • 2
    The problem has also been reported on the [AWS S3 Forums](https://forums.aws.amazon.com/thread.jspa?messageID=555417򇦙) – Kristian Hanekamp Oct 23 '15 at 13:20
  • When using Amazon CloudFront with a web origin (not S3), forwarding the Origin header from CloudFront to your origin will avoid this issue. Is that correctly understood?http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#header-caching-web-cors – Eric Eijkelenboom Jan 14 '16 at 10:34
  • 1
    Actually, this is causing some issues with Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=260239. No wonder Google would outputs Vary: Origin for every request – Gyum Fox Jul 03 '20 at 16:20