Recently PortSwigger (guys behind Burp Suite) came up with a blog post discussing the security risks associated with CORS mis-configurations.
http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
In summary, the blog talks about insecure ways of enabling CORS which can allow malicious web sites to read data from a target site. Towards the end, the blog talks about a prevention mechanism involving the
Vary: Origin
header:
If you take a look at the 'Implementation Considerations' section in the CORS specification, you'll notice that it instructs developers specify the 'Vary: Origin' HTTP header whenever Access-Control-Allow-Origin headers are dynamically generated.
I am having a hard time understand how exactly the Vary header helps prevent CORS exploitation (XSS using cache poisoning) in a scenario where the
Access-Control-Allow-Origin
header is dynamically generated (controlled by client).