W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2010

Re: [cors] 27 July 2010 CORS feedback

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 22 Nov 2010 09:28:50 -0800
Message-ID: <AANLkTimViWMKH5fEzGc5F-Usng7kfoOoxZ0VosUBEo=D@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
On Mon, Nov 22, 2010 at 1:56 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> On 22.11.2010 09:53, Jonas Sicking wrote:
>> ...
>>>>> 3) When a server changes the headers in a response based upon the value
>>>>> of the incoming Origin header (as outlined in sections 5.1 and 5.2), it must
>>>>> insert Vary: Origin into *all* responses for that resource; otherwise,
>>>>> downstream caches will incorrectly store it.
>>>>> Be aware that doing so will cause many versions of IE not to cache
>>>>> those responses at all. Another option would be to disallow varying the
>>>>> response based upon the Origin header.
>>>> Disallowing varying by origin seems like a bigger problem than IE not
>>>> caching.
>>> Either way, it needs to be addressed.
>> You mean by adding a note in the spec? Are you adding a similar note
>> to http-bis about the Vary header?
>> ...
> CORS specifies behavior that makes the response to a request depend on the
> Origin request header. Therefore it would be good if if pointed out that as
> a *result* of that, the "Vary" header needs to be added to any response for
> that URI.

Ooh, i thought the initial paragraph from Mark was a quote from the
spec. I now see that that is not the case. I'm fairly sure we've
discussed that in the past and I agree that such a note should be

/ Jonas
Received on Monday, 22 November 2010 17:29:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:13 UTC