From 2770faab595547dbbaac4f81dfa6a341176066e0 Mon Sep 17 00:00:00 2001 From: Jason McNeil Date: Tue, 26 Mar 2024 18:13:34 -0300 Subject: [PATCH 1/2] fix(middleware/cors): Vary header handling non-cors OPTIONS requests --- middleware/cors/cors.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/middleware/cors/cors.go b/middleware/cors/cors.go index 8fd70b3c60..1b8b928809 100644 --- a/middleware/cors/cors.go +++ b/middleware/cors/cors.go @@ -175,6 +175,8 @@ func New(config ...Config) fiber.Handler { // If it's a preflight request and doesn't have Access-Control-Request-Method header, it's outside the scope of CORS if c.Method() == fiber.MethodOptions && c.Get(fiber.HeaderAccessControlRequestMethod) == "" { + // See comment in preflight section below + c.Vary(fiber.HeaderOrigin) return c.Next() } From 8583dbbf231042c5ce0357be5209990aa3dd98f7 Mon Sep 17 00:00:00 2001 From: Jason McNeil Date: Tue, 26 Mar 2024 18:19:09 -0300 Subject: [PATCH 2/2] chore(middleware/cors): Add Vary header for non-CORS OPTIONS requests comment --- middleware/cors/cors.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/middleware/cors/cors.go b/middleware/cors/cors.go index 1b8b928809..f38da1bb71 100644 --- a/middleware/cors/cors.go +++ b/middleware/cors/cors.go @@ -175,7 +175,10 @@ func New(config ...Config) fiber.Handler { // If it's a preflight request and doesn't have Access-Control-Request-Method header, it's outside the scope of CORS if c.Method() == fiber.MethodOptions && c.Get(fiber.HeaderAccessControlRequestMethod) == "" { - // See comment in preflight section below + // Response to OPTIONS request should not be cached but, + // some caching can be configured to cache such responses. + // To Avoid poisoning the cache, we include the Vary header + // for non-CORS OPTIONS requests: c.Vary(fiber.HeaderOrigin) return c.Next() }