Vary: Origin should not be set if the Origin request header is ignored

[ehmicky]

The Vary HTTP response header is useful to ensure proper caching of CORS responses and prevent cache poisoning. However, it comes with a downside: (potentially significantly) increasing the cache size, since each client's origin will create a different cached value.

The standard mentions:

If Access-Control-Allow-Origin is set to * or a static origin for a particular resource, then configure the server to always send Access-Control-Allow-Origin in responses for the resource — for non-CORS requests as well as CORS requests — and do not use Vary.

In other words, if the CORS response is always the same regardless of the Origin request header, Vary: Origin should not be set. Currently, this module mostly gets it right except in two cases:

1. If the origin option is a function, regardless of the return value of that function (including '*'), Vary: Origin should be set, since that function might (and most likely did) use the Origin request header.

cors/lib/index.js

Lines 209 to 216 in 53312a5

	var originCallback = null;
	if (corsOptions.origin && typeof corsOptions.origin === 'function') {
	originCallback = corsOptions.origin;
	} else if (corsOptions.origin) {
	originCallback = function (origin, cb) {
	cb(null, corsOptions.origin);
	};
	}

cors/lib/index.js

Lines 41 to 46 in 53312a5

	if (!options.origin || options.origin === '*') {
	// allow any origin
	headers.push([{
	key: 'Access-Control-Allow-Origin',
	value: '*'
	}]);

2. If the origin option is a string, Vary: Origin should not be set, since Access-Control-Allow-Origin is always the same value, and the Origin request header is ignored.

cors/lib/index.js

Lines 47 to 56 in 53312a5

	} else if (isString(options.origin)) {
	// fixed origin
	headers.push([{
	key: 'Access-Control-Allow-Origin',
	value: options.origin
	}]);
	headers.push([{
	key: 'Vary',
	value: 'Origin'
	}]);