- From: Anne van Kesteren <notifications@github.com>
- Date: Mon, 17 Jul 2017 07:33:30 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/564/review/50249780@github.com>
annevk approved this pull request. Couple nits left, seems reasonable overall. > +request</a>), the response will lack `<a http-header><code>Access-Control-Allow-Origin</code></a>` +and the user agent will cache that response. Then, if the user agent subsequently encounters a +<a>CORS request</a> for the resource, it will use that cached response from the previous +non-<a>CORS request</a>, without `<a http-header><code>Access-Control-Allow-Origin</code></a>`. + +<p>But if `<code>Vary: Origin</code>` is used in the same scenario described above, it will cause +the user agent to <a for=/>fetch</a> a response that includes +`<a http-header><code>Access-Control-Allow-Origin</code></a>`, rather than using the cached response +from the previous non-<a>CORS request</a> that lacks +`<a http-header><code>Access-Control-Allow-Origin</code></a>`. + +<p>However, if `<a http-header><code>Access-Control-Allow-Origin</code></a>` is set to +<code>*</code> or a static <a for=/>origin</a> for a particular resource, then configure the server +to always send `<a http-header><code>Access-Control-Allow-Origin</code></a>` in responses for the +resource — for non-<a lt="CORS request">CORS requests</a> as well as <a lt="CORS request">CORS +requests</a> — and do not use `<code>Vary</code>`. Extra newline here. > +non-<a>CORS request</a> for that resource (for example, as the result of a <a>navigation +request</a>), the response will lack `<a http-header><code>Access-Control-Allow-Origin</code></a>` +and the user agent will cache that response. Then, if the user agent subsequently encounters a +<a>CORS request</a> for the resource, it will use that cached response from the previous +non-<a>CORS request</a>, without `<a http-header><code>Access-Control-Allow-Origin</code></a>`. + +<p>But if `<code>Vary: Origin</code>` is used in the same scenario described above, it will cause +the user agent to <a for=/>fetch</a> a response that includes +`<a http-header><code>Access-Control-Allow-Origin</code></a>`, rather than using the cached response +from the previous non-<a>CORS request</a> that lacks +`<a http-header><code>Access-Control-Allow-Origin</code></a>`. + +<p>However, if `<a http-header><code>Access-Control-Allow-Origin</code></a>` is set to +<code>*</code> or a static <a for=/>origin</a> for a particular resource, then configure the server +to always send `<a http-header><code>Access-Control-Allow-Origin</code></a>` in responses for the +resource — for non-<a lt="CORS request">CORS requests</a> as well as <a lt="CORS request">CORS No need for the `lt` attribute here. Bikeshed knows about English plural. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/564#pullrequestreview-50249780
Received on Monday, 17 July 2017 07:33:58 UTC