[jboss-jira] [JBoss JIRA] (WFCORE-1672) Add 'Vary: Origin' header to CorsHttpHandler

[ https://issues.jboss.org/browse/WFCORE-1672?page=com.atlassian.jira.plugi... ] Harald Pehl updated WFCORE-1672: -------------------------------- Description: The management endpoint can be accessed from a list of allowed origins. In that case CORS relevant headers such as {{Access-Control-Allow-Origin: <allowed origin>}} are added to response. Since the list of allowed origins is dynamic, the header {{Vary: Origin}} should be added as well. See [https://www.w3.org/TR/cors/#resource-implementation]. Without the {{Vary}} header being present in the response, the client uses responses from the cache which have an origin that does not match the current origin. Consider this scenario: # http://localhost:3000 (client1) and http://localhost:4000 (client2) are both configured as allowed origins # client1 reads a resource description using http://localhost:9990/management/profile/default/subsystem/batch-jberet?o.... Since it's a GET request the response is cached. # client2 reads the same resource description Without the {{Vary}} header, client2 would use the cached response. However the origin in the cached response (http://localhost:3000) does not match the current origin (http://localhost:4000), which causes errors. was: The management endpoint can be accessed from a list of allowed origins. In that case CORS relevant headers such as {{Access-Control-Allow-Origin: <allowed origin>}} are added to response. Since the list of allowed origins is dynamic, the header {{Vary: Origin}} should be added as well. See [https://www.w3.org/TR/cors/#resource-implementation]. -- This message was sent by Atlassian JIRA (v6.4.11#64026)