Closed Bug 1565550 Opened 5 years ago Closed 5 years ago

In some cases, CORS fetch result reused (including CORS Allow-* headers) when fetched from another origin, despite `Vary: Origin` header, breaking CORS

Categories

(Core :: Networking: HTTP, defect, P2)

Product:
Core
Component:
Networking: HTTP
Version:
68 Branch
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: michiel, Unassigned)

Details

(Whiteboard: [necko-triaged])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36

Steps to reproduce:

See https://michielbdejong.com/blog/23.html

Actual results:

See https://michielbdejong.com/blog/23.html

Expected results:

See https://michielbdejong.com/blog/23.html

Chrome bug about the same topic is here: https://bugs.chromium.org/p/chromium/issues/detail?id=983532

From the blogpost:

https://site-one.5apps.com
https://site-two.5apps.com
https://site-three.5apps.com
https://site-four.5apps.com

The thing that's going wrong is that in the site-one/site-two case, the browser ignores the Vary: Origin header, and caches the result from site-one in the http cache, including the Access-Control-Allow-Origin: https://site-one.5apps.com header. Therefore, the cross-origin request from site-two.5apps.com is blocked. In this case, doing just a GET, this could be worked around using Access-Control-Allow-Origin: *, but for POST and other verbs, the server needs to echo the origin from the HTTP request's Origin there. For some mysterious reason, the same thing does not go wrong for site-three/site-four! :)

(in future, when filing bug reports, please put at least some actual description of the issue into the initial comment - not just links)

Component: Untriaged → Networking: Cache
Product: Firefox → Core
Summary: `Vary: Origin` header is sometime ignored → In some cases, CORS fetch result reused (including CORS Allow-* headers) when fetched from another origin, despite `Vary: Origin` header, breaking CORS

Not sure if cache is better than DOM: Networking for CORS-related things - Anne, do you have thoughts here?

Flags: needinfo?(annevk)

CORS is normally DOM: Networking, but this seems like an issue with the cache not supporting Vary. This will probably also be fixed once we fix bug 1536058 however.

Flags: needinfo?(annevk)
Component: Networking: Cache → Networking: HTTP
Priority: -- → P2
Whiteboard: [necko-triaged]

Update: See https://bugs.chromium.org/p/chromium/issues/detail?id=983532, it turns out that this works as follows:

I had assumed that if you put a Vary header on a 200, then the browser would not attempt to use that cached data if that Vary header is not satisfied. In reality, it's slightly more subtle: If the Vary header is not satisfied, then the browser will always do a new request to the server, but that request can still be conditional, and if the new response is a 304, than the cached version of the document will still be used!

The server we were testing against had a bug where its 304 responses are lacking CORS headers, and so that's what caused the confusion.

This does mean that if a server varies its responses based on for instance Origin, then it should also vary its ETags along with that. Just setting the Vary header is not enough to prevent cache sharing, actually varying the ETag values is also important.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.