Re: [cors] 27 July 2010 CORS feedback

On Mon, Nov 22, 2010 at 1:56 AM, Julian Reschke <> wrote:
> On 22.11.2010 09:53, Jonas Sicking wrote:
>> ...
>>>>> 3) When a server changes the headers in a response based upon the value
>>>>> of the incoming Origin header (as outlined in sections 5.1 and 5.2), it must
>>>>> insert Vary: Origin into *all* responses for that resource; otherwise,
>>>>> downstream caches will incorrectly store it.
>>>>> Be aware that doing so will cause many versions of IE not to cache
>>>>> those responses at all. Another option would be to disallow varying the
>>>>> response based upon the Origin header.
>>>> Disallowing varying by origin seems like a bigger problem than IE not
>>>> caching.
>>> Either way, it needs to be addressed.
>> You mean by adding a note in the spec? Are you adding a similar note
>> to http-bis about the Vary header?
>> ...
> CORS specifies behavior that makes the response to a request depend on the
> Origin request header. Therefore it would be good if if pointed out that as
> a *result* of that, the "Vary" header needs to be added to any response for
> that URI.

Ooh, i thought the initial paragraph from Mark was a quote from the
spec. I now see that that is not the case. I'm fairly sure we've
discussed that in the past and I agree that such a note should be

/ Jonas

Received on Monday, 22 November 2010 17:29:47 UTC