Upgrade go-chi/chi to commit that handles Vary header properly #803
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #802
For CORS, the server needs to include
Origin
in theVary
response (ifAccess-Control-Allow-Origin
is not set to*
)https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#access-control-allow-origin
Flipt is using go-chi/cors to handle CORS which does include that header
https:/go-chi/cors/blob/9b0b248d5e6ba10c954f076a98c5f7760f243882/cors.go#L242-L247
However, if the request includes
Accept-Encoding
, this triggers this linehttps:/go-chi/chi/blob/86f9a6e7ce9bf453eaa339b51f88f586edbccbc1/middleware/compress.go#L321
which overrides any previously set Vary headers
N.B.
Accept-Encoding
is a forbidden header https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_namemeaning it can only be set by the user agent and cannot be modified in JS as a workaround
This bug was fixed in go-chi/chi#640, so this
commit updates go-chi/chi to that commit hash with
go get github.com/go-chi/chi/v5@b750c805b4ee0952b