Opened 8 years ago
Closed 8 years ago
#38060 closed enhancement (fixed)
Add Vary: Origin to CORS responses
Reported by: | pdufour | Owned by: | jorbin |
---|---|---|---|
Milestone: | 4.7 | Priority: | normal |
Severity: | normal | Version: | |
Component: | REST API | Keywords: | has-patch |
Focuses: | Cc: |
Description
I think enough WP setups have some caching engine like Varnish installed that it'd be useful to have a 'Vary: Origin' header on any responses that have a Access-Control-Allow-Origin
header.
Steps to replicate:
Send CURL request to WP API with a custom origin. See that the it returns with Access-Control-Allow-Origin: custom origin
but does not have a Vary: Origin
header so if you have a caching engine installed and send another request with a separate origin than the first, it will still return custom origin
.
Attachments (1)
Change History (12)
This ticket was mentioned in Slack in #core by kadamwhite. View the logs.
8 years ago
#3
@
8 years ago
- Keywords 2nd-opinion added
- Milestone changed from Awaiting Review to 4.7
I can get behind this. I do think it should only be for wp-api responses, at least initially. Would love to know what others think.
This ticket was mentioned in Slack in #core-restapi by jorbin. View the logs.
8 years ago
#6
@
8 years ago
Back-filling from slack, I'm +1 on adding this; as @jason_the_adams notes vary: origin
is a W3 CORS implementation recommendation: https://www.w3.org/TR/cors/#resource-implementation
#7
@
8 years ago
- Keywords 2nd-opinion removed
- Owner set to jorbin
- Status changed from new to assigned
Forgot to add a link to the HAPI code as an example of a framework providing a Vary header by default in their CORS support: https://github.com/hapijs/hapi/blob/master/lib/cors.js#L157
Edit #1
https://github.com/WP-API/WP-API/issues/2661 for original issue posted on WP-API repo.