Spring-framework: Duplicate Vary headers after enabling CORS filter

Created on 31 Mar 2020 · 3Comments · Source: spring-projects/spring-framework

Affects: 2.2.6 and up, from what i tested.

Summary
I have noticed strange behavior when requesting a static resource with GET, while having the cors filter enabled by providing a CorsFilter bean.
The problem is that the Vary headers get duplicated. This only happens, when the url gets mapped by SimpleUrlHandlerMapping to a request handler that implements CorsConfigurationSource,
because then the AbstractHandlerMapping that the SimpleUrlHandlerMapping extends, injects a CorsInterceptor into the HandlerExecutionChain.
This CorsInterceptor then uses a DefaultCorsProcessor to process the requests, which in turn automatically appends the Vary headers.
The problem is that the CorsFilter also uses this DefaultCorsProcessor, so that's why the Vary headers get duplicated.

Current behavior
When enabling the cors filter, static file responses contain duplicate Vary headers.

Expected behavior
When enabling the cors filter, static file responses contain unique Vary headers.

Configuration

Spring Boot 2.2.6
Spring Web 5.2.5
Java 8

Sample
https://github.com/rwinch/spring-boot-double-vary-headers/tree/no-security

Related
Previously i thought this was related to spring security, so i created a ticket there (already resolved).
I'm linking it here for reference:
https://github.com/spring-projects/spring-security/issues/8245

web bug

Source

Moomba42

👀1

Most helpful comment

Fixed and validated with the sample project, thanks for raising this.

sdeleuze on 15 Apr 2020

👍3

All 3 comments

A potential fix would be to only inject the CorsInterceptor in the AbstractHandlerMapping if the handler extends CorsConfigurationSource AND it provides a non-null CorsConfiguration too.
Right now this check is being done in AbstractHandlerMapping#hasCorsConfigurationSource
Or another way would be to add the Vary headers in the DefaultCorsProcessor#processRequest only if they aren't already present.