Version
latest
Context
CorsHandlerImpl.handle() correctly emits Vary: Origin on the no-Origin and the actual (non-preflight) CORS response branches, but not on the preflight (OPTIONS + Access-Control-Request-Method) branch. When the preflight response varies by
origin (which it does whenever multiple origins are allowed, or whenever allowCredentials(true) is set), the missing Vary: Origin header lets HTTP caches and the browser preflight cache serve a preflight response keyed only by URL —
potentially returning the Access-Control-Allow-Origin for the wrong origin.
Steps to reproduce
No response
Do you have a reproducer?
No response
Version
latest
Context
CorsHandlerImpl.handle()correctly emitsVary: Originon the no-Origin and the actual (non-preflight) CORS response branches, but not on the preflight (OPTIONS + Access-Control-Request-Method) branch. When the preflight response varies byorigin (which it does whenever multiple origins are allowed, or whenever
allowCredentials(true) is set), the missingVary: Originheader lets HTTP caches and the browser preflight cache serve a preflight response keyed only by URL —potentially returning the
Access-Control-Allow-Originfor the wrong origin.Steps to reproduce
No response
Do you have a reproducer?
No response