Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

middleware: fix set Vary header #640

Merged
merged 1 commit into from
Jan 3, 2022
Merged

middleware: fix set Vary header #640

merged 1 commit into from
Jan 3, 2022

Conversation

mytheta
Copy link
Contributor

@mytheta mytheta commented Jul 16, 2021

There are cases where you want to define a value(ex. origin, accept ...) other than accept-encoding in the Vary header.
So, if the Vary header is already set, why not give priority to the existing settings?

@davidspiess
Copy link

Any chance to have this merged? We ran in the same issue.

@pkieltyka pkieltyka merged commit b750c80 into go-chi:master Jan 3, 2022
albertchae added a commit to albertchae/flipt that referenced this pull request Apr 11, 2022
For CORS, the server needs to include `Origin` in the `Vary` response
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#access-control-allow-origin

Flipt is using go-chi/cors to handle CORS which does include that header
https://github.com/go-chi/cors/blob/9b0b248d5e6ba10c954f076a98c5f7760f243882/cors.go#L242-L247

However, if the request includes `Accept-Encoding`, this triggers this line
https://github.com/go-chi/chi/blob/86f9a6e7ce9bf453eaa339b51f88f586edbccbc1/middleware/compress.go#L321
which overrides any previously set Vary headers

N.B. `Accept-Encoding` is a forbidden header https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name
meaning it can only be set by the user agent and cannot be modified in JS as a workaround

This bug was fixed in go-chi/chi#640, so this
commit updates go-chi/chi to that commit hash with
`go get github.com/go-chi/chi/v5@b750c805b4ee0952b`
albertchae added a commit to albertchae/flipt that referenced this pull request Apr 11, 2022
For CORS, the server needs to include `Origin` in the `Vary` response
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#access-control-allow-origin

Flipt is using go-chi/cors to handle CORS which does include that header
https://github.com/go-chi/cors/blob/9b0b248d5e6ba10c954f076a98c5f7760f243882/cors.go#L242-L247

However, if the request includes `Accept-Encoding`, this triggers this line
https://github.com/go-chi/chi/blob/86f9a6e7ce9bf453eaa339b51f88f586edbccbc1/middleware/compress.go#L321
which overrides any previously set Vary headers

N.B. `Accept-Encoding` is a forbidden header https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name
meaning it can only be set by the user agent and cannot be modified in JS as a workaround

This bug was fixed in go-chi/chi#640, so this
commit updates go-chi/chi to that commit hash with
`go get github.com/go-chi/chi/v5@b750c805b4ee0952b`
markphelps pushed a commit to flipt-io/flipt that referenced this pull request Apr 11, 2022
For CORS, the server needs to include `Origin` in the `Vary` response
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#access-control-allow-origin

Flipt is using go-chi/cors to handle CORS which does include that header
https://github.com/go-chi/cors/blob/9b0b248d5e6ba10c954f076a98c5f7760f243882/cors.go#L242-L247

However, if the request includes `Accept-Encoding`, this triggers this line
https://github.com/go-chi/chi/blob/86f9a6e7ce9bf453eaa339b51f88f586edbccbc1/middleware/compress.go#L321
which overrides any previously set Vary headers

N.B. `Accept-Encoding` is a forbidden header https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name
meaning it can only be set by the user agent and cannot be modified in JS as a workaround

This bug was fixed in go-chi/chi#640, so this
commit updates go-chi/chi to that commit hash with
`go get github.com/go-chi/chi/v5@b750c805b4ee0952b`
@TomOne TomOne mentioned this pull request Dec 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants