From b4f966c7599a144addecbfee25b2a3e14905cd37 Mon Sep 17 00:00:00 2001 From: Bahaa Naamneh Date: Sat, 27 Sep 2025 19:27:51 +0200 Subject: [PATCH 1/4] do not set cache in authenticated fetch --- src/http-api/fetch.ts | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/http-api/fetch.ts b/src/http-api/fetch.ts index d6d1b5a52a3..cec3672a732 100644 --- a/src/http-api/fetch.ts +++ b/src/http-api/fetch.ts @@ -279,6 +279,13 @@ export class FetchHttpApi { const { signal, cleanup } = anySignal(signals); + // Set cache mode based on presence of Authorization header. + // Proxies do not cache responses to requests with Authorization headers. + // So specifying "no-cache" is redundant, and actually prevents caching + // of preflight requests in CORS scenarios. As such, we only set "no-cache" + // when there is no Authorization header. + const cacheMode = "Authorization" in headers ? undefined : "no-cache"; + let res: Response; const start = Date.now(); try { @@ -291,7 +298,7 @@ export class FetchHttpApi { redirect: "follow", referrer: "", referrerPolicy: "no-referrer", - cache: "no-cache", + cache: cacheMode, credentials: "omit", // we send credentials via headers keepalive: keepAlive, priority: opts.priority, From afc11dc36744aa889b4e0a8cc698da0670974e4c Mon Sep 17 00:00:00 2001 From: Bahaa Naamneh Date: Sat, 27 Sep 2025 20:35:26 +0200 Subject: [PATCH 2/4] issue 5019 - updated comment --- src/http-api/fetch.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/http-api/fetch.ts b/src/http-api/fetch.ts index cec3672a732..3869145914e 100644 --- a/src/http-api/fetch.ts +++ b/src/http-api/fetch.ts @@ -280,7 +280,7 @@ export class FetchHttpApi { const { signal, cleanup } = anySignal(signals); // Set cache mode based on presence of Authorization header. - // Proxies do not cache responses to requests with Authorization headers. + // Browsers/proxies do not cache responses to requests with Authorization headers. // So specifying "no-cache" is redundant, and actually prevents caching // of preflight requests in CORS scenarios. As such, we only set "no-cache" // when there is no Authorization header. From e76b1e6bb5b5c992b78cc0593903ef46f5219651 Mon Sep 17 00:00:00 2001 From: Bahaa Naamneh Date: Sat, 27 Sep 2025 19:27:51 +0200 Subject: [PATCH 3/4] do not set cache in authenticated fetch Signed-off-by: Bahaa Naamneh --- src/http-api/fetch.ts | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/http-api/fetch.ts b/src/http-api/fetch.ts index d6d1b5a52a3..cec3672a732 100644 --- a/src/http-api/fetch.ts +++ b/src/http-api/fetch.ts @@ -279,6 +279,13 @@ export class FetchHttpApi { const { signal, cleanup } = anySignal(signals); + // Set cache mode based on presence of Authorization header. + // Proxies do not cache responses to requests with Authorization headers. + // So specifying "no-cache" is redundant, and actually prevents caching + // of preflight requests in CORS scenarios. As such, we only set "no-cache" + // when there is no Authorization header. + const cacheMode = "Authorization" in headers ? undefined : "no-cache"; + let res: Response; const start = Date.now(); try { @@ -291,7 +298,7 @@ export class FetchHttpApi { redirect: "follow", referrer: "", referrerPolicy: "no-referrer", - cache: "no-cache", + cache: cacheMode, credentials: "omit", // we send credentials via headers keepalive: keepAlive, priority: opts.priority, From f6df7d326d90c564ac0e962f3f658e6d8d4b099e Mon Sep 17 00:00:00 2001 From: Bahaa Naamneh Date: Sat, 27 Sep 2025 20:35:26 +0200 Subject: [PATCH 4/4] issue 5019 - updated comment Signed-off-by: Bahaa Naamneh --- src/http-api/fetch.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/http-api/fetch.ts b/src/http-api/fetch.ts index cec3672a732..3869145914e 100644 --- a/src/http-api/fetch.ts +++ b/src/http-api/fetch.ts @@ -280,7 +280,7 @@ export class FetchHttpApi { const { signal, cleanup } = anySignal(signals); // Set cache mode based on presence of Authorization header. - // Proxies do not cache responses to requests with Authorization headers. + // Browsers/proxies do not cache responses to requests with Authorization headers. // So specifying "no-cache" is redundant, and actually prevents caching // of preflight requests in CORS scenarios. As such, we only set "no-cache" // when there is no Authorization header.