workbox-strategies / getCacheKeyForURL should account for CORS

[allanlei]

Library Affected:
workbox-strategies

Browser & Platform:

• Chrome Linux Version 97.0.4692.99 (Official Build) (64-bit)

Issue or Feature Request Description:
Using StaleWhileRevalidate with URLs (ie api.example.com) that

• Have CORS with non-wildcard domains (ie access-control-allow-origin: google.com, etc)
• Publicly cachable (ie Cache-Control: public, max-age: ...)
• Used on multiple Origin domains (app.example.com and example.com)
  will produce CORS errors on the second visited domain with a CORS error saying the resource is for the first domain.

Since getCacheKeyForURL only accounts for location.href and not Origin, then the response of the first domain is given as a cached response to the second.

[jeffposnick]

Hello @allanlei—the code that you linked to, getCacheKeyForURL(), is part of the workbox-precaching library. It's not run as part of StaleWhileRevalidate in workbox-strategies.

Can you provide a live example that demonstrates the problem, or point to more specific code?

[allanlei]

@jeffposnick I'll have to close this issue for now as it turns out the issue is somewhere else.

For reference, the issue I was having was related to 304 responses not having CORS (see httpwg/http-core#165)