When CORS is turned on, Vary: Origin
header gets overwritten by Vary: Accept-Encoding
if request includes Accept-Encoding
header
#802
Labels
Describe the bug
CORS requests should have the
Vary
header set toOrigin
if the server specifies a single origin (that may dynamically change based on the requesting origin as part of an allowlist). This header is set correctly thanks to https://github.com/go-chi/cors/blob/9b0b248d5e6ba10c954f076a98c5f7760f243882/cors.go#L242-L247However, if the request has the
Accept-Encoding
header set, theVary
header gets overwritten in old versions ofgo-chi/chi
because of this line https://github.com/go-chi/chi/blob/86f9a6e7ce9bf453eaa339b51f88f586edbccbc1/middleware/compress.go#L321Version Info
I'm not sure how to run
flipt --version
in my local environment since I've been usingtask dev
, but it's happening on the latest master commit 8a63fbbTo Reproduce
curl -i --request GET --url 'http://localhost:8080/api/v1/flags/test' --header 'Origin: http://localhost'
returnscurl -i --request GET --url 'http://localhost:8080/api/v1/flags/test' --header 'Accept-Encoding: gzip, br' --header 'Origin: http://localhost'
returnsExpected behavior
I would expect the curl in step 4 to return either
or
Additional context
This bug was fixed in go-chi/chi#640 which hasn't been released yet, so I have 2 proof of concept solutions, neither of which I really like:
Vary: Origin
aftergo-chi/chi
overwrites it. I don't really know go so I mostly copied an online example but I verified I see the header correctly after (one flaw with this currently is that ifAccept-Encoding
is not present in the request, this addsVary: Origin
twice) albertchae@59e1c37The text was updated successfully, but these errors were encountered: