Make WordPress Core

Opened 10 months ago

Closed 8 months ago

#38060 closed enhancement (fixed)

Add Vary: Origin to CORS responses

Reported by: pdufour Owned by: jorbin
Milestone: 4.7 Priority: normal
Severity: normal Version:
Component: REST API Keywords: has-patch
Focuses: Cc:


I think enough WP setups have some caching engine like Varnish installed that it'd be useful to have a 'Vary: Origin' header on any responses that have a Access-Control-Allow-Origin header.

Steps to replicate:
Send CURL request to WP API with a custom origin. See that the it returns with Access-Control-Allow-Origin: custom origin but does not have a Vary: Origin header so if you have a caching engine installed and send another request with a separate origin than the first, it will still return custom origin.

Attachments (1)

38060.patch (483 bytes) - added by procodewp 9 months ago.
Adds vary: origin header to rest_send_cors_headers()

Download all attachments as: .zip

Change History (12)

#1 @pdufour
10 months ago

Forgot to add a link to the HAPI code as an example of a framework providing a Vary header by default in their CORS support: https://github.com/hapijs/hapi/blob/master/lib/cors.js#L157

Edit #1
https://github.com/WP-API/WP-API/issues/2661 for original issue posted on WP-API repo.

Last edited 10 months ago by pdufour (previous) (diff)

This ticket was mentioned in Slack in #core by kadamwhite. View the logs.

10 months ago

#3 @jorbin
10 months ago

  • Keywords 2nd-opinion added
  • Milestone changed from Awaiting Review to 4.7

I can get behind this. I do think it should only be for wp-api responses, at least initially. Would love to know what others think.

#4 @jorbin
9 months ago

  • Keywords needs-patch added

If this is going to make it for 4.7 it needs a patch.

This ticket was mentioned in Slack in #core-restapi by jorbin. View the logs.

9 months ago

#6 @kadamwhite
9 months ago

Back-filling from slack, I'm +1 on adding this; as @jason_the_adams notes vary: origin is a W3 CORS implementation recommendation: https://www.w3.org/TR/cors/#resource-implementation

#7 @jorbin
9 months ago

  • Keywords 2nd-opinion removed
  • Owner set to jorbin
  • Status changed from new to assigned

This ticket was mentioned in Slack in #core by jeffpaul. View the logs.

9 months ago

9 months ago

Adds vary: origin header to rest_send_cors_headers()

#9 @procodewp
9 months ago

  • Keywords has-patch added; needs-patch removed

Patch to add the Vary: Origin header to rest_send_cors_headers()

#10 @jorbin
8 months ago

  • Component changed from General to REST API

#11 @jorbin
8 months ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 38806:

REST API: Include Vary: Origin in cors headers

vary: origin is a W3 CORS implementation recommendation( https://www.w3.org/TR/cors/#resource-implementation ). It's used by default in frameworks such as hapi and Laravel-cors. Overall, it helps sites siting behind a cache such as varnish.

Fixes #38060.
Props procodewp, pdufour for research.

Note: See TracTickets for help on using tickets.