This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 23653 - Advice on CORS and caches
Summary: Advice on CORS and caches
Status: RESOLVED FIXED
Alias: None
Product: WHATWG
Classification: Unclassified
Component: Fetch (show other bugs)
Version: unspecified
Hardware: PC Windows 3.1
: P2 normal
Target Milestone: Unsorted
Assignee: Anne
QA Contact: sideshowbarker+fetchspec
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-28 14:17 UTC by Anne
Modified: 2014-05-19 12:56 UTC (History)
7 users (show)

See Also:


Attachments

Description Anne 2013-10-28 14:17:35 UTC
+++ This bug was initially created as a clone of Bug #14663 +++

At the F2F it was established we should have a section giving authors advice on how to deal with caches and CORS. Adam volunteered to write up a proposal.
Comment 1 Anne 2013-10-28 14:21:12 UTC
See also bug 21012 by Brock Allen about mentioning Vary.
Comment 2 rob 2014-03-12 18:30:31 UTC
Is this bug about caching proxies or the browser's cache?

Currently the specification does not specify what should happen with cross-origin cached requests from multiple servers.

For example, let's imagine that the following image is used by multiple sites:

    <img crossorigin="anonymous" src="http://example.com/x.png">

The server checks access on the fly and replies with a non-wildcard Access-Control-Allow-Origin header and caching directives:

    Access-Control-Allow-Origin: http://example.com
    Cache-Control: max-age=3600

The browser stores this response in a cache. When the image is referenced again, but at a different site, the request is blocked, because the browser does not look past its cache (at the moment).

Could the intended behavior for this use case be specified?

FYI, I discovered the bug at https://github.com/Rob--W/cors-anywhere/issues/6.
Comment 3 Anne 2014-03-17 18:06:13 UTC
Right, that is the scenario. The advice would be to use the Vary header (which does not work well with proxies unfortunately).