When making a CORS request, if the requested Origin is on the list of allowed origins, the response contains both the Access-Control-Allow-Origin header, and the Vary: Origin header.
在发出CORS请求时,如果请求的源在允许的起源列表上,那么响应将包含访问控制允许源消息头和不同的源消息头。
The Vary: Origin telling onward CDNs etc that the response was negotiated based on the requestors Origin header value.
不同的:起源告诉前进的CDNs等等,响应是基于请求者的原始标题值进行协商的。
The issue is (and I've tested the leading CDN providers), is that if the requestor doesn't provide a Origin header in their request, or an Origin value that is not one of the allowed ones, the response does not include the Vary: Origin in the response.
问题是(我已经测试了主要的CDN提供者),如果请求者没有在他们的请求中提供一个源消息头,或者一个不是允许的源值,那么响应不包括响应中的不同来源。
Should a CDN preforming CORS always respond with Vary: Origin in the response headers? If it doesn't a CDN would believe it can serve the same response to any Origin value. Then again, it would be possible to fill a CDNs cache by making many requests with random origin values.
CDN预成型的CORS是否应该总是以不同的方式响应:响应头的原点?如果它不是CDN,它就会相信它可以对任何起源值做出相同的响应。然后,通过使用随机源值的许多请求来填充一个CDNs缓存是可能的。
1 个解决方案
#1
18
Yes. If a request may contain a Access-Control-Allow-Origin with different values, then the CDN should always respond with Vary: Origin, even for responses without an Access-Control-Allow-Origin header. Your analysis is correct: if the header isn't always present, it would be possible to fill the cache with incorrect values.
是的。如果一个请求可能包含具有不同值的访问控制允许源,那么CDN应该总是以不同的方式响应:来源,即使是在没有访问控制允许源的消息头的情况下。您的分析是正确的:如果消息头不总是存在,则可以用不正确的值填充缓存。
#1
18
Yes. If a request may contain a Access-Control-Allow-Origin with different values, then the CDN should always respond with Vary: Origin, even for responses without an Access-Control-Allow-Origin header. Your analysis is correct: if the header isn't always present, it would be possible to fill the cache with incorrect values.
是的。如果一个请求可能包含具有不同值的访问控制允许源,那么CDN应该总是以不同的方式响应:来源,即使是在没有访问控制允许源的消息头的情况下。您的分析是正确的:如果消息头不总是存在,则可以用不正确的值填充缓存。