stack-cors icon indicating copy to clipboard operation
stack-cors copied to clipboard
verified publisher icon asm89

CorsService.php is appending 'Origin' to first vary header and chopping of rest of the vary header

Open SunainaDutta14 opened this issue 1 year ago • 3 comments 

public function varyHeader(Response $response, $header): Response
    {
        if (!$response->headers->has('Vary')) {
            $response->headers->set('Vary', $header);
        } elseif (!in_array($header, explode(', ', $response->headers->get('Vary')))) {
            $response->headers->set('Vary', $response->headers->get('Vary') . ', ' . $header);
        }

        return $response;
    }

My response object has two vary header 'Cookie', 'Referer' but instead of appending 'Origin' at the end ,above code is adding  'Origin' after first vary header and rest of the vary headers are chopped off.

image image image

Sending third parameter 'FALSE' to set function will resolves the issue. $response->headers->set('Vary', $header, FALSE); Can someone please look into it and provide proper way to fix? https://www.drupal.org/project/drupal/issues/3471642 I have raised an issue in Drupal as well.

SunainaDutta14 avatar Sep 04 '24 16:09 SunainaDutta14

It appears to me that this is best demonstrated in the 2nd screenshot. Calling $response->headers->get('Vary') is returning ONLY the first header, "Cookie", and completely dropping "Referer". Line 216 is appending a new value. The expected headers at the end of this call are "Cookie,Referer,Origin", but instead the end result is "Cookie,Origin" (dropped Referer).

dpagini avatar Sep 12 '24 12:09 dpagini

I think that line 215 of CorsService.php assumes that $response->headers->get('Vary') returns a string, but it seems like it can return a string or an array.

dpagini avatar Oct 11 '24 20:10 dpagini

Ok, looking at this more... can this code just use the $response->setVary() method instead?

dpagini avatar Oct 11 '24 21:10 dpagini