Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CrossOriginFilter does not return Vary header on no-cors mode #9777

Closed
vbrown37 opened this issue May 16, 2023 · 0 comments · Fixed by #9779
Closed

CrossOriginFilter does not return Vary header on no-cors mode #9777

vbrown37 opened this issue May 16, 2023 · 0 comments · Fixed by #9779
Assignees
@gregw
Labels
Bug For general bugs on Jetty side

Comments

@vbrown37
Copy link

Jetty version(s)
11.0.13

Java version/vendor
openjdk version "11.0.16" 2022-07-19
OpenJDK Runtime Environment (build 11.0.16+8-post-Ubuntu-0ubuntu118.04)
OpenJDK 64-Bit Server VM (build 11.0.16+8-post-Ubuntu-0ubuntu118.04, mixed mode, sharing)

OS type/version
Linux 5.15.0-71-generic #78-Ubuntu SMP Tue Apr 18 09:00:29 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Description
When running your server with the CrossOriginFilter default filter, OPTIONS responses do not return a Vary header on no-cors requests.
So, others cors requests to the same resource uses the no-cors request cached headers and lack cors headers such as Origin or Access-Control-Allow-Origin.

As explained here, https://fetch.spec.whatwg.org/#cors-protocol-and-http-caches :
In particular, consider what happens if Vary is not used and a server is configured to send Access-Control-Allow-Origin for a certain resource only in response to a CORS request. When a user-agent receives a response to a non-CORS request for that resource (for example, as the result of a navigation request), the response will lack Access-Control-Allow-Origin and the user agent will cache that response. Then, if the user-agent subsequently encounters a CORS request for the resource, it will use that cached response from the previous non-CORS request, without Access-Control-Allow-Origin.

After opening this below issue, the submitted fix doesn't seem to fix this issue.
#1927

How to reproduce?

  1. Configure your server to use Jetty's default CrossOriginFilter.
  2. Load a resource through your browser with a no-cors request, the Vary: Origin header is not present on the OPTIONS response due to no-cors.
  3. Load the same resource with a cors request, your user-agent won't include the Origin & Access-Control-Allow-Origin header due to caching, the request will be rejected.
@vbrown37 vbrown37 added the Bug For general bugs on Jetty side label May 16, 2023
gregw added a commit that referenced this issue May 16, 2023
@gregw
Fix #9777 CrossOriginFilter Vary Header
4937c49 
Always set the Vary Header.

Signed-off-by: gregw <[email protected]>
@gregw gregw mentioned this issue May 16, 2023
Merged
@gregw gregw self-assigned this May 16, 2023
gregw added a commit that referenced this issue May 17, 2023
@gregw
Fix #9777 CrossOriginFilter Vary Header (#9779)
e7f9abf 
* Fix #9777 CrossOriginFilter Vary Header

Always set the Vary Header.
sbordet added a commit that referenced this issue Oct 9, 2023
@sbordet
Issue #9777 - CrossOriginFilter does not return Vary header on no-cor…
67b0778 
…s mode.

Modified the fix introduced by #9779 to avoid usage of Jetty server classes, so that the CrossOriginFilter can be deployed in any web application.

Signed-off-by: Simone Bordet <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gregw gregw

Labels
Bug For general bugs on Jetty side
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #9777 CrossOriginFilter Vary Header jetty/jetty.project
2 participants
@gregw @vbrown37