refactor: remove X-Forwarded-Prefix from Vary header in SSR redirect utility#33063
refactor: remove X-Forwarded-Prefix from Vary header in SSR redirect utility#33063alan-agius4 wants to merge 1 commit intoangular:mainfrom
Conversation
…utility This is no longer needed since now `X-Forwarded-Prefix` is validated by the users.
alan-agius4
added
action: review
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request removes the logic that automatically adds the X-Forwarded-Prefix header to the Vary response header during redirects. However, this change introduces a high-severity cache poisoning risk; since the redirect Location depends on the X-Forwarded-Prefix value, omitting it from the Vary header can cause CDNs or reverse proxies to serve incorrect cached redirects to users on different proxy paths.
| } | ||
|
|
||
| resHeaders.set('Vary', [...varySet].join(', ')); | ||
| resHeaders.set('Location', location); |
There was a problem hiding this comment.
Removing the logic that automatically adds X-Forwarded-Prefix to the Vary header can lead to cache poisoning. Even if the header is validated, the redirect Location still depends on its value (as seen in AngularAppEngine.redirectBasedOnAcceptLanguage in app-engine.ts).
When a redirect response is cached by a CDN or reverse proxy, it must vary by all headers used to generate the Location URL. If X-Forwarded-Prefix is omitted from Vary, a user accessing the site through a different proxy prefix might receive a cached redirect to the wrong path. If the intention is to make this utility more generic, the responsibility for adding X-Forwarded-Prefix to Vary should be moved to the caller, but currently, AngularAppEngine does not appear to handle this, which introduces a regression in cache safety.
1 participant
This is no longer needed since now
X-Forwarded-Prefixis validated by the users.