Added Vary value for CORS in Frontend

refs https:/TryGhost/Toolbox/issues/461 - Having a 'Origin' in vary header value present on each `OPTIONS` allows to correctly bucket "allowed CORS" and "disallowed CORS" responses in shared caches
TryGhost · Nov 2, 2022 · a8ba8cc · a8ba8cc
1 parent f581e33
commit a8ba8cc
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 4 deletions.
diff --git a/ghost/core/core/frontend/web/middleware/cors.js b/ghost/core/core/frontend/web/middleware/cors.js
@@ -54,4 +54,19 @@ function corsOptionsDelegate(req, callback) {
  callback(null, corsOptions);
 }
 
-module.exports = cors(corsOptionsDelegate);
+/**
+ *
+ * @param {Express.Request} req
+ * @param {Express.Response} res
+ * @param {Function} next
+ */
+const handleCaching = (req, res, next) => {
+ // @NOTE: try to add native support for dynamic 'vary' header value in 'cors' module
+ res.vary('Origin');
+ next();
+};
+
+module.exports = [
+ cors(corsOptionsDelegate),
+ handleCaching
+];
diff --git a/ghost/core/core/server/web/api/middleware/cors.js b/ghost/core/core/server/web/api/middleware/cors.js
@@ -82,7 +82,7 @@ function corsOptionsDelegate(req, cb) {
 }
 
 /**
- * 
+ *
  * @param {Express.Request} req
  * @param {Express.Response} res
  * @param {Function} next

diff --git a/ghost/core/test/e2e-server/1-options-requests.test.js b/ghost/core/test/e2e-server/1-options-requests.test.js
@@ -108,7 +108,7 @@ describe('OPTIONS requests', function () {
  .expect(200);
 
  assert.equal(res.headers['cache-control'], 'public, max-age=0');
- assert.equal(res.headers.vary, 'Accept-Encoding');
+ assert.equal(res.headers.vary, 'Origin, Accept-Encoding');
  assert.equal(res.headers.allow, 'POST,GET,HEAD');
  });
 
@@ -119,7 +119,7 @@ describe('OPTIONS requests', function () {
  .expect(200);
 
  assert.equal(res.headers['cache-control'], 'public, max-age=0');
- assert.equal(res.headers.vary, 'Accept-Encoding');
+ assert.equal(res.headers.vary, 'Origin, Accept-Encoding');
  assert.equal(res.headers.allow, 'POST,GET,HEAD');
  });
  });