Improved CORSHandler #13677
Improved CORSHandler #13677
Conversation
| return; | ||
| } | ||
|
|
||
| Common::sendHeader('Vary: Origin'); |
There was a problem hiding this comment.
Is there a reason for this new header? From what I understand about the header, it exists to tell http caches how to identify a resource when deciding which cached object to use. It doesn't seem related to CORS.
There was a problem hiding this comment.
6.4 Implementation Considerations
This section is non-normative.
Resources that wish to enable themselves to be shared with multiple Origins but do not respond uniformly with "*" must in practice generate the Access-Control-Allow-Origin header dynamically in response to every request they wish to allow. As a consequence, authors of such resources should send a Vary: Origin HTTP header or provide other appropriate control directives to prevent caching of such responses, which may be inaccurate if re-used across-origins.
When using the 3rd party cookie, and tracking to piwik with AJAX, the request will (must) include the 3rd party cookie (see #13159 ).
It is already possible to set "cors_domains[] = *" in config.ini.php to allow this.
However "The value of * is special in that it does not allow requests to supply credentials, meaning it does not allow HTTP authentication, client-side SSL certificates, or cookies to be sent in the cross-domain request." (see https://en.wikipedia.org/wiki/Cross-origin_resource_sharing ).
Thus this change avoids the "*" value and also adds the 'Vary: Origin' header.