DefaultCorsProcessor does not set "vary: Origin" if the request has no Cors header

[mascheck]

The DefaultCorsProcessor will not set the "vary: Origin" header in the response, if the request is not a cors request.

Scenario:

• The user visits the original page (without CORS).
• Some scripts are cached without CORS and vary headers
• The user visits page B which is using the same scripts. The browser wants to load them from the cache but get a CORS Error because of the missing CORS headers.

Discussions regarding this topic:
#18378 (especially the last comment)
https://stackoverflow.com/questions/25329405/why-isnt-vary-origin-response-set-on-a-cors-miss

I use Spring Boot 2.1.1.RELEASE

Are there any known workarounds?

[sdeleuze]

Did you manage to reproduce the issue without a CDN being involved (only browser cache)?

[mascheck]

This issue depends not on CDN. We were also able to reproduce it locally

[sdeleuze]

Any chance you could provide a repro project?

[mascheck]

Here is a repo with a demo Spring application:
https://github.com/Keroxo/spring-cors-demo-backend

Here is a demo client:
https://github.com/Keroxo/spring-cors-demo-client

You should run both on a different server. The Spring Application should take the default port 8080. The client can run under any port. I used 8088 for testing. For running the client I used http-server.

1. Visit localhost:8088
   It will get the data from localhost:8080/data via xhr request. Take a look at the CORS-Headers like vary:origin
2. Reload localhost:8088
   See, that the data will be fetched from the disk cache
3. Visit localhost:8080/home
   Its also requesting localhost:8080/data and will not fetch from cache because of the vary:origin header of the cached version. Look at the CORS-Headers of the newly fetched data.json. There will be no CORS Headers at all.
4. Revisit localhost:8088
   There will be an error when fetching the data json because the cached version has no cors Headers:
   Access to XMLHttpRequest at 'http://localhost:8080/data' from origin 'http://localhost:8088' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
   The vary:origin would help here, too. Because localhost:8088 would know that he has to fetch his own data.json

I hope that helped to clarify the problem