From 6a5266c6b8a2a5324fe3f1543ec63230e4d1f16d Mon Sep 17 00:00:00 2001
From: Gidi Kroon <Gidi@gidikroon.eu>
Date: Sun, 25 Jun 2023 03:22:41 +0200
Subject: [PATCH] Add Vary header in case of content negotiation

Sometimes we return different content depending on whether JSON, XML or
HTML was requested in the Accept request header. The Vary response
header should list that header in these cases, to allow caching
frameworks to determine what to cache.
---
 src/Module/ActivityPub/Objects.php | 2 ++
 src/Module/Friendica.php           | 3 +++
 src/Module/Item/Display.php        | 2 ++
 src/Module/Profile/Profile.php     | 3 +++
 src/Module/Xrd.php                 | 4 +++-
 5 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/Module/ActivityPub/Objects.php b/src/Module/ActivityPub/Objects.php
index 34d460951..2d5862a1c 100644
--- a/src/Module/ActivityPub/Objects.php
+++ b/src/Module/ActivityPub/Objects.php
@@ -130,6 +130,8 @@ class Objects extends BaseModule
 		// Relaxed CORS header for public items
 		header('Access-Control-Allow-Origin: *');
 
+		header('Vary: Accept', false);
+
 		System::jsonExit($data, 'application/activity+json');
 	}
 }
diff --git a/src/Module/Friendica.php b/src/Module/Friendica.php
index 90869878e..739078763 100644
--- a/src/Module/Friendica.php
+++ b/src/Module/Friendica.php
@@ -90,6 +90,8 @@ class Friendica extends BaseModule
 			$blocked = null;
 		}
 
+		header('Vary: Accept', false);
+
 		$hooked = '';
 
 		Hook::callAll('about_hook', $hooked);
@@ -125,6 +127,7 @@ class Friendica extends BaseModule
 				$data = ActivityPub\Transmitter::getProfile(0);
 				header('Access-Control-Allow-Origin: *');
 				header('Cache-Control: max-age=23200, stale-while-revalidate=23200');
+				header('Vary: Accept', false);
 				System::jsonExit($data, 'application/activity+json');
 			} catch (HTTPException\NotFoundException $e) {
 				System::jsonError(404, ['error' => 'Record not found']);
diff --git a/src/Module/Item/Display.php b/src/Module/Item/Display.php
index b2ed43c5b..54e55de2f 100644
--- a/src/Module/Item/Display.php
+++ b/src/Module/Item/Display.php
@@ -162,6 +162,8 @@ class Display extends BaseModule
 
 		$output .= $this->getDisplayData($item);
 
+		header('Vary: Accept', false);
+
 		return $output;
 	}
 
diff --git a/src/Module/Profile/Profile.php b/src/Module/Profile/Profile.php
index 5e5028cb8..b8f16656e 100644
--- a/src/Module/Profile/Profile.php
+++ b/src/Module/Profile/Profile.php
@@ -87,6 +87,7 @@ class Profile extends BaseProfile
 					$data = ActivityPub\Transmitter::getProfile($user['uid']);
 					header('Access-Control-Allow-Origin: *');
 					header('Cache-Control: max-age=23200, stale-while-revalidate=23200');
+					header('Vary: Accept', false);
 					System::jsonExit($data, 'application/activity+json');
 				} catch (HTTPException\NotFoundException $e) {
 					System::jsonError(404, ['error' => 'Record not found']);
@@ -103,6 +104,8 @@ class Profile extends BaseProfile
 				System::jsonError(404, []);
 			}
 		}
+
+		header('Vary: Accept', false);
 	}
 
 	protected function content(array $request = []): string
diff --git a/src/Module/Xrd.php b/src/Module/Xrd.php
index 6a4c0e860..71a3d37a9 100644
--- a/src/Module/Xrd.php
+++ b/src/Module/Xrd.php
@@ -152,6 +152,7 @@ class Xrd extends BaseModule
 			]
 		];
 		header('Access-Control-Allow-Origin: *');
+		header('Vary: Accept', false);
 		System::jsonExit($json, 'application/jrd+json; charset=utf-8');
 	}
 
@@ -229,6 +230,7 @@ class Xrd extends BaseModule
 		];
 
 		header('Access-Control-Allow-Origin: *');
+		header('Vary: Accept', false);
 		System::jsonExit($json, 'application/jrd+json; charset=utf-8');
 	}
 
@@ -326,7 +328,7 @@ class Xrd extends BaseModule
 		]);
 
 		header('Access-Control-Allow-Origin: *');
-
+		header('Vary: Accept', false);
 		System::httpExit($xmlString, Response::TYPE_XML, 'application/xrd+xml');
 	}
 }