This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
+++ This bug was initially created as a clone of Bug #14663 +++ At the F2F it was established we should have a section giving authors advice on how to deal with caches and CORS. Adam volunteered to write up a proposal.
See also bug 21012 by Brock Allen about mentioning Vary.
Is this bug about caching proxies or the browser's cache? Currently the specification does not specify what should happen with cross-origin cached requests from multiple servers. For example, let's imagine that the following image is used by multiple sites: <img crossorigin="anonymous" src="http://example.com/x.png"> The server checks access on the fly and replies with a non-wildcard Access-Control-Allow-Origin header and caching directives: Access-Control-Allow-Origin: http://example.com Cache-Control: max-age=3600 The browser stores this response in a cache. When the image is referenced again, but at a different site, the request is blocked, because the browser does not look past its cache (at the moment). Could the intended behavior for this use case be specified? FYI, I discovered the bug at https://github.com/Rob--W/cors-anywhere/issues/6.
Right, that is the scenario. The advice would be to use the Vary header (which does not work well with proxies unfortunately).
https://github.com/whatwg/fetch/commit/fb04b72c54fc14d487184c6716a0b0f15832d5c2