Problem/Motivation
We have an event subscriber which adds 'referer' string in vary header in the response . CorsService.php appendes 'origin' vary header and removing our vary header from the below code
public function varyHeader(Response $response, $header): Response
{
if (!$response->headers->has('Vary')) {
$response->headers->set('Vary', $header);
} elseif (!in_array($header, explode(', ', $response->headers->get('Vary')))) {
$response->headers->set('Vary', $response->headers->get('Vary') . ', ' . $header);
}
return $response;
}Note: Page cache module is disabled.In the screenshots attached it is shown we are getting 'cookie' and 'referer' in the vary header but from the above code $response->headers->get('Vary') is fetching only first value of vary header which is 'cookie' in this case and adding 'origin' in the vary header. If we add the priority, our event will be fired before FinishResponse subscriber which adds 'cookie' in vary header and the order of vary header will be reversed, which is 'referer','cookie'. In this case we will get 'referer' in the response but cookie will be removed from vary.
Steps to reproduce
1.Add event subscriber in the custom module. Subscribe to kernel response event to add vary header.
public static function getSubscribedEvents() {
$events[KernelEvents::RESPONSE][] = ['onRespond'];
return $events;
}
public function onRespond(ResponseEvent $event): void {
$response = $event->getResponse();
$response->setVary('Referer', FALSE);
}
}
2. When we load the page and inspect it, referrer from the vary header is missing.
Proposed resolution
$events[KernelEvents::RESPONSE][] = ['onRespond' ,1];
If we give it a priority,it resolves the issue but then it removes cookie vary header.
something needs to be done so that in CorsService.php,$response->headers->get('Vary') , it should fetch all values of vary header and add 'orgin' at the end of it instead of replacing.