Affects: 2.2.6 and up, from what i tested.
Summary I have noticed strange behavior when requesting a static resource with GET, while having the cors filter enabled by providing a CorsFilter bean. The problem is that the Vary headers get duplicated. This only happens, when the url gets mapped by SimpleUrlHandlerMapping to a request handler that implements CorsConfigurationSource, because then the AbstractHandlerMapping that the SimpleUrlHandlerMapping extends, injects a CorsInterceptor into the HandlerExecutionChain. This CorsInterceptor then uses a DefaultCorsProcessor to process the requests, which in turn automatically appends the Vary headers. The problem is that the CorsFilter also uses this DefaultCorsProcessor, so that's why the Vary headers get duplicated.
Current behavior When enabling the cors filter, static file responses contain duplicate Vary headers.
Expected behavior When enabling the cors filter, static file responses contain unique Vary headers.
Configuration - Spring Boot 2.2.6 - Spring Web 5.2.5 - Java 8
Sample https://github.com/rwinch/spring-boot-double-vary-headers/tree/no-security
Related Previously i thought this was related to spring security, so i created a ticket there (already resolved). I'm linking it here for reference: https://github.com/spring-projects/spring-security/issues/8245
Comment From: moomba42
A potential fix would be to only inject the CorsInterceptor in the AbstractHandlerMapping if the handler extends CorsConfigurationSource AND it provides a non-null CorsConfiguration too.
Right now this check is being done in AbstractHandlerMapping#hasCorsConfigurationSource
Or another way would be to add the Vary headers in the DefaultCorsProcessor#processRequest only if they aren't already present.
Comment From: rhuitl
Are there any updates on this issue?
Comment From: sdeleuze
Fixed and validated with the sample project, thanks for raising this.