CrossOriginFilter should add Vary: Origin even for non-CORS requests

[carey]

I've run into an issue with the CrossOriginFilter with fonts which might be retrieved from the same host with no Origin request header, or from a different host with an Origin header in the request.

If a response is cached for the former case, then future cross-origin requests will use the response without a Vary response header. Because this cached response doesn't include an Access-Control-Allow-Origin header, the cross-origin request fails. If all responses include Vary: Origin, then the absence of the Origin header in the request should be included in the cache key, and a subsequent request with an Origin should go to Jetty.

I can see that there might be some issues with backwards compatibility if the filter is applied too broadly, so maybe this would need to use a new configuration option if implemented.

[gregw]

@sbordet I can't see why fixing this should cause backward compatibility issues? Can you?

We need to set Vary: Origin if the origin is null or if we do not match the origin... which makes me struggle to think when we should not set Vary: Origin, as even if we accept all origins, the absence of origin header is significant. Perhaps this filter should always set it for any request that it applies to?

[sbordet]

See also #1053.

[carey]

About backwards compatibility, I was thinking of a hypothetical case where someone mapped the filter to /*, which would look like it was working as intended. In this case, starting to send Vary: Origin for the entire application might have unintended side effects.

It's a bit of an edge case, though, and might be better dealt with in release notes.

[sbordet]

Fixed in #3346.