Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork98
Description
Search for duplicate issues
- I already searched, and this issue is not a duplicate.
Issue scope
Other (specify below)
Describe the bug
The package using CORS should also modify the Vary header to include the Origin header as the response changes based on the Origin header. For example:
~ ❯ curl 'https://static.learnfeliz.com/objects/suburban/House.glb' \ -H 'sec-ch-ua-platform: "Android"' \ -H 'Origin: xyz.com' \ -H 'Referer: http://localhost:5173/' \ -H 'User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Mobile Safari/537.36' \ -H 'sec-ch-ua: "Not A(Brand";v="8", "Chromium";v="132", "Google Chrome";v="132"' \ -H 'DNT: 1' \ -H 'sec-ch-ua-mobile: ?1' -ILHTTP/2 200 date: Sat, 22 Mar 2025 17:37:43 GMTcontent-type: model/gltf-binarycontent-length: 28748accept-ranges: bytesaccess-control-allow-headers: content-type, authorization, originaccess-control-allow-methods: GET, HEAD, OPTIONSaccess-control-allow-origin: xyz.comaccess-control-expose-headers: content-type, origincache-control: public, max-age=604800, s-maxage=604800, stale-while-revalidate=432000content-security-policy: frame-ancestors 'self'last-modified: Sun, 02 Feb 2025 16:07:36 GMTstrict-transport-security: max-age=63072000; includeSubDomains; preloadvary: accept-encodingx-content-type-options: nosniffx-frame-options: DENYcf-cache-status: MISSreport-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3dPHn1b5FUB3FryKKdHEGPWgIlB94RQFcRekCKH4JD8g1wYsGH9cUdzMkFH2%2BvdDD%2BE2GxVqlnTZDDMVYmpOj8Nk84Ou%2B3oXo8yD%2FOsXWHDbZtvgvkHerMlegZoRMYWlZsbnsOdOFSTmkrdTaGj30kEoyK8%3D"}],"group":"cf-nel","max_age":604800}nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}server: cloudflarecf-ray: 92477567284ffe9f-AMSalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=6188&min_rtt=6057&rtt_var=1351&sent=6&recv=8&lost=0&retrans=0&sent_bytes=3433&recv_bytes=1020&delivery_rate=650056&cwnd=253&unsent_bytes=0&cid=3f4c0868dbf530e1&ts=56&x=0"~ ❯ curl 'https://static.learnfeliz.com/objects/suburban/House.glb' \ -H 'sec-ch-ua-platform: "Android"' \ -H 'Referer: http://localhost:5173/' \ -H 'User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Mobile Safari/537.36' \ -H 'sec-ch-ua: "Not A(Brand";v="8", "Chromium";v="132", "Google Chrome";v="132"' \ -H 'DNT: 1' \ -H 'sec-ch-ua-mobile: ?1' -ILHTTP/2 200 date: Sat, 22 Mar 2025 17:37:52 GMTcontent-type: model/gltf-binary~ ❯ curl 'https://static.learnfeliz.com/objects/suburban/House.glb' \ -H 'sec-ch-ua-platform: "Android"' \ -H 'Origin: foobar.com' \ -H 'Referer: http://localhost:5173/' \ -H 'User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Mobile Safari/537.36' \ -H 'sec-ch-ua: "Not A(Brand";v="8", "Chromium";v="132", "Google Chrome";v="132"' \ -H 'DNT: 1' \ -H 'sec-ch-ua-mobile: ?1' -ILHTTP/2 200 date: Sat, 22 Mar 2025 17:40:56 GMTcontent-type: model/gltf-binarycontent-length: 28748accept-ranges: bytesaccess-control-allow-headers: content-type, authorization, originaccess-control-allow-methods: GET, HEAD, OPTIONSaccess-control-allow-origin: foobar.comaccess-control-expose-headers: content-type, origincache-control: public, max-age=604800, s-maxage=604800, stale-while-revalidate=432000content-security-policy: frame-ancestors 'self'last-modified: Sun, 02 Feb 2025 16:07:36 GMTstrict-transport-security: max-age=63072000; includeSubDomains; preloadvary: accept-encodingx-content-type-options: nosniffx-frame-options: DENYcf-cache-status: MISSreport-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qHFe%2FWUKIhsriET3FdSaqP55ceC8E5j5FV3WxLGf3u8dOiav6J5XNVmTL1ELzrO4scprZHZNAbfpJmK7VZqJYFLsWog3YdK3YnC%2BE3htOJsWtjhG0B%2FNx99LZfkT5Orn%2FzResxE42AHtAPHQhVXYJROOXxY%3D"}],"group":"cf-nel","max_age":604800}nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}server: cloudflarecf-ray: 92477a1ff89b0e30-AMSalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=5668&min_rtt=5277&rtt_var=2111&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3409&recv_bytes=1021&delivery_rate=519593&cwnd=180&unsent_bytes=0&cid=a3b3ea1f408503d2&ts=69&x=0"content-length: 28748
accept-ranges: bytes
cache-control: public, max-age=604800, s-maxage=604800, stale-while-revalidate=432000
content-security-policy: frame-ancestors 'self'
last-modified: Sun, 02 Feb 2025 16:07:36 GMT
strict-transport-security: max-age=63072000; includeSubDomains; preload
vary: accept-encoding
x-content-type-options: nosniff
x-frame-options: DENY
age: 2638
cf-cache-status: HIT
report-to: {"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=UrAX3a37N5Bni6sTWHP%2BIb8f6%2F48XN3kHOdcjGexHTwYUbE1X7ebTQg%2ByLajiwl7uVVgtOrb%2FQXFxy1hFfJvwmXWhSmGqS92RDkWTAgN7VsBgy3owHV7JzQ9ZTeHjV8slVcNucLDJDN1QBOj8uY0KE%2Bxp1I%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 924775a00e171cae-AMS
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=5675&min_rtt=4501&rtt_var=1891&sent=6&recv=8&lost=0&retrans=0&sent_bytes=3411&recv_bytes=1006&delivery_rate=762874&cwnd=202&unsent_bytes=0&cid=83091922d76f1690&ts=53&x=0"
How to reproduce it
See above
Expected behavior
It should include the Origin header