On 22.11.2010 09:53, Jonas Sicking wrote:
...
3) When a server changes the headers in a response based upon the value of the
incoming Origin header (as outlined in sections 5.1 and 5.2), it must insert
Vary: Origin into *all* responses for that resource; otherwise, downstream
caches will incorrectly store it.
Be aware that doing so will cause many versions of IE not to cache those
responses at all. Another option would be to disallow varying the response
based upon the Origin header.
Disallowing varying by origin seems like a bigger problem than IE not caching.
Either way, it needs to be addressed.
You mean by adding a note in the spec? Are you adding a similar note
to http-bis about the Vary header?
...
CORS specifies behavior that makes the response to a request depend on
the Origin request header. Therefore it would be good if if pointed out
that as a *result* of that, the "Vary" header needs to be added to any
response for that URI.
Best regards, Julian
