Right now, service at delegated-ipfs.dev/routing/v1 sends CORS header only when Origin header is present in the request, and when Origin is present, the response has Vary: Origin:
$ curl -H "Origin: https://example1.com" https://delegated-ipfs.dev/routing/v1/providers/bafybeigdyrzt5sfp7udm7hu76uh7y26nf3efuylqabf3oclgtqy55fbzdi -s -i | grep -i origin
access-control-allow-origin: *
vary: Origin
Problem
If the Vary header in response is set to value Origin, it indicates that the response may vary depending on the value of the Origin header in the request.
It means the response is reusable (cacheable) only as long value in Origin header matches, so responses for requests made from different websites (origins) won't benefit from caching.
IIUC this makes little sense with access-control-allow-origin: * because we want liberal access to public goods, and we don't have site-specific responses, so we want cache to be shared across websites that use public goods to maximize cache HIT rate:
👉 We want CID lookup done by JS running on https://one.example.com to be returned from cache when https://two.example.net asks for it.
Solution
Trustless public good services must have a global cache that is shared across websites (no matter what is in Origin), which means we don't want Vary: Origin at
delegated-ipfs.dev (needs fixing)trustless-gateway.link (already ok, but mentioning here as it should share the config/setup/tests)
TODO
Right now, service at
delegated-ipfs.dev/routing/v1sends CORS header only whenOriginheader is present in the request, and whenOriginis present, the response hasVary: Origin:Problem
If the
Varyheader in response is set to valueOrigin, it indicates that the response may vary depending on the value of the Origin header in the request.It means the response is reusable (cacheable) only as long value in
Originheader matches, so responses for requests made from different websites (origins) won't benefit from caching.IIUC this makes little sense with
access-control-allow-origin: *because we want liberal access to public goods, and we don't have site-specific responses, so we want cache to be shared across websites that use public goods to maximize cache HIT rate:👉 We want CID lookup done by JS running on
https://one.example.comto be returned from cache whenhttps://two.example.netasks for it.Solution
Trustless public good services must have a global cache that is shared across websites (no matter what is in
Origin), which means we don't wantVary: Originatdelegated-ipfs.dev(needs fixing)trustless-gateway.link(already ok, but mentioning here as it should share the config/setup/tests)TODO
Vary: Originfromdelegated-ipfs.devresponsesVary: Accept-Encodingwhich is used by compressiondelegated-ipfs.devregression was introduced when we added github.com/rs/cors to someguy (add http handlers for cors, metrics and compression ipfs/someguy#30). An easy fix may be to remove that library and instead hardcode liberal CORS headers on all response types.