Enable flask-cors to work well with CDNs and caches

[rtshilston]

At present, the vary header is ONLY set if an inbound request has an appropriate 'origin' value. This isn't compatible with using flask-cors with endpoints that have positive cache-headers.

An example scenario is:

• User 1 requests endpoint without CORS.
• Response is sent with 1hr cache header, and doesn't include a vary header
• User 2 requests endpoint and requires CORS
• Cache responds with cached response to user 1, which fails CORS checks.

This change ensures that if the vary_header flag is set, then it'll always send the header, so that flask-cors can dependably be used with caching.

[corydolphin]

At present, the vary header is ONLY set if an inbound request has an appropriate 'origin' value. This isn't compatible with using flask-cors with endpoints that have positive cache-headers.

An example scenario is:

• User 1 requests endpoint without CORS.
• Response is sent with 1hr cache header, and doesn't include a vary header
• User 2 requests endpoint and requires CORS
• Cache responds with cached response to user 1, which fails CORS checks.

This change ensures that if the vary_header flag is set, then it'll always send the header, so that flask-cors can dependably be used with caching.

Hey @rtshilston this scenario should be covered by default with the "always_send" option. It seems like in that scenario it may be correct to return the wildcard. What have you seen?

[rtshilston]

Hey @corydolphin - thanks for the response. I'm not proposing sending the CORS headers. Instead, always sending "Vary: Origin". I think that's totally safe and compliant with specs. If it's useful for me to build a working test-case, let me know and I'll do that.