What version of Hono are you using?
4.10.1
What runtime/platform is your app running on? (with version if possible)
Cloudflare Workers (locally with wrangler dev, 4.43.0)
What steps can reproduce the bug?
Hi. I'm using the hono/cors middleware and also setting the Vary header to Accept for responses in my controller. I noticed that the actual server response is Vary: Origin instead.
After checking the source code I see that Hono checks the request vary header, and if that is not there, it will overwrite it on the response. Does it make sense that it should check the response vary header instead? New to the whole vary header, so I'm assuming it is not normal practice for a request from the client to include it. Or is there a reason for this, i.e. security?
|
const existingVary = c.req.header('Vary') |
Reproduction
I've created a minimal reproduction repository: https://github.com/Juuldamen/hono-vary-cors-issue. See the readme for test commands.
- Run server that has a CORS middleware and a controller that returns a response with the
Vary header that has a value different than Origin.
- Send a HTTP request, for minimal repro:
curl -i http://localhost:8787/test
What is the expected behavior?
The Vary header value on the HTTP response should include the values as set on the response in the controller. Preferably it should check if the value includes Origin and if not add it when the CORS middleware is used. To prevent issues with CORS if the developer forgets to add this to their Vary response value.
What do you see instead?
The Vary header value in the response only includes Origin. Unless the request includes the Vary header itself. Than the response will include the same Vary value as the request.
Additional information
As briefly discussed on Discord: https://discord.com/channels/1011308539819597844/1012485912409690122/1427417950037606421
What version of Hono are you using?
4.10.1
What runtime/platform is your app running on? (with version if possible)
Cloudflare Workers (locally with
wrangler dev, 4.43.0)What steps can reproduce the bug?
Hi. I'm using the
hono/corsmiddleware and also setting theVaryheader toAcceptfor responses in my controller. I noticed that the actual server response isVary: Origininstead.After checking the source code I see that Hono checks the request vary header, and if that is not there, it will overwrite it on the response. Does it make sense that it should check the response vary header instead? New to the whole vary header, so I'm assuming it is not normal practice for a request from the client to include it. Or is there a reason for this, i.e. security?
hono/src/middleware/cors/index.ts
Line 112 in 4b796cf
Reproduction
I've created a minimal reproduction repository: https://github.com/Juuldamen/hono-vary-cors-issue. See the readme for test commands.
Varyheader that has a value different thanOrigin.curl -i http://localhost:8787/testWhat is the expected behavior?
The
Varyheader value on the HTTP response should include the values as set on the response in the controller. Preferably it should check if the value includesOriginand if not add it when the CORS middleware is used. To prevent issues with CORS if the developer forgets to add this to theirVaryresponse value.What do you see instead?
The
Varyheader value in the response only includesOrigin. Unless the request includes theVaryheader itself. Than the response will include the sameVaryvalue as the request.Additional information
As briefly discussed on Discord: https://discord.com/channels/1011308539819597844/1012485912409690122/1427417950037606421