-
-
Notifications
You must be signed in to change notification settings - Fork 17k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ETag should consider CORS headers #5986
Comments
This is not an issue with Express and would happen with any HTTP framework, as the CDN caches the headers & content. If I understood this correctly, your assumption is that GET requests from different origins should return different headers, if that is true then consider in your implementation:
|
Yes that's the assumption and the solution to handle caching in that case would be to return a
|
Regarding this comment. It is indeed expected and not the issue that the CDN caches the headers and the content. It is particularly this combination of the browser using a different ETag from a request cached for a different origin that doesn't play nicely with the feature. |
I'd say remove the ETag from those responses. Either using middleware or disable for all. Add The “Vary: Origin” header for security: https://www.google.com/search?q=Vary+cross-origin+header
My two cents. |
From my own dive into the RFCs, this is a nasty problem with how the 304 response is defined and how headers work in HTTP caches, including caches inside web browsers:
The upshot to all this:
Therefore, ACAO with values other than
If it doesn't do both of these things, then at some point a downstream client is going to process a response with an ACAO header that doesn't match the Origin and treat this as a security error. If the ACAO headers get dropped along the way, a request coming in from a new-but-acceptable origin will not see the new ACAO response specifying the origin from the request. If the ACAO headers get propagated, and written back to cached rows as the spec demands, then we get similarly broken results from a sequence of requests: request from origin A, miss cache, receive 200 (cache it), propagate response; request from origin B, revalidate, receive 304 (additional cache row sharing content, update headers), patch cached body onto new ACAO header; request from origin A, hit cache, respond with the cached response and headers -- which now includes the ACAO header from origin B because the cache must use the most recent headers. It's not hard to imagine a way to do this "right": always send the ACAO header and don't cross-update headers for other cache rows pertaining to the same request path when those requests varied in some relevant dimension (according to the Patching a hash of the Removing the ETag does not help. Per RFC 9111 4.3.1, the cache is allowed to use timestamps instead, even when a Patching a CDN to emit ACAO headers on a 304 response does help but if there are more caches along the way (caching proxies, end-user browser caches), those caches are free to exhibit the same behaviors. |
TL;DR: I want the ETag to change when the
access-control-allow-origin
header is different but the response body is the same.We are facing an issue right now with a couple moving parts working poorly together.
It's a bit difficult to explain but I'll try my best.
This is kind of messed up, as all parties do comply with the specs, though when put together, the specs don't work nicely together.
The best way to fix this would be for the server to generate a different ETag when the
access-control-allow-origin
header differs.The text was updated successfully, but these errors were encountered: