Purge File by URL for ALL ORIGINs

I have read the API docs and all the related threads in this discussion forum regarding purging files by URL but my question remains unanswered. Is it possible to purge a file by URL for ALL ORIGINs?

If I have a file on my server, e.g. example.org/script.js, that I share with any origin, e.g. Access-Allow-Control-Origin: *, how can I purge this file from Cloudflare’s cache for all origins that have ever accessed the file?

That’s not how CORS requests work. If you pure a resource from your cache, it will be served fresh the next time those websites make a request to the resources. If the website does its own cache (eg. with the browser’s local storage) then you can’t purge that cache from your origin.

If you purge a resource from your cache, it will be served fresh the next time those websites make a request to the resources.

Yes, but according to Cloudflare’s docs the cache key computed for a resource is a combination of: HOST header + ORIGIN header + URL path + QUERY. If I serve example.org/script.js to somesite.com and othersite.net then Cloudflare’s CDN will cache script.js separately for somesite.com and othersite.net so when I try to use the API to purge the file from the CDN I can’t just specify example.org/script.js I have to specify [{ url: 'example.org/script.js', origin: 'somesite.com' }, { url: 'example.org/script.js', origin: 'othersite.net'}] which is very annoying because it means my server has to keep track of every origin that has ever accessed my file when I need to cache-bust it. So, to ask my question again, is there a way to purge a cached file from Cloudflare’s CDN for ALL ORIGIN HEADERs?

If the website does its own cache (eg. with the browser’s local storage) then you can’t purge that cache from your origin.

When I’m talking about ORIGINs I am referring to the other websites accessing content on my website, I’m not referring to my own website.

Are you using a custom cache key (which IIRC is only for Enterprise customers)? Based on the warning:

https://api.cloudflare.com/#zone-purge-files-by-url

To purge files with custom cache keys, include the headers used to compute the cache key as in the example. To purge files with {geo} or {devicetype} in their cache keys, include the CF-Device-Type or CF-IPCountry headers.

I would guess that you should only need to specify the headers when you have a page rule with a custom cache key.

If you are using this, then i’d recommend adding a cache-tag and then purging by cache-tag.

I am not on an Enterprise plan and I am not using a custom cache key. The default cache key is HOST + ORIGIN + URL + QUERY as I understand from this support page:

Cloudflare supports CORS by:

  • Identifying cached assets based on the Host Header, Origin Header, URL path, and query. This allows different resources to use the same Host header but different Origin headers.

And also this support page:

Important! A single-file purge performed through your Cloudflare dashboard does not clear objects that contain:

  • An origin header

So even without a custom cache key it seems the API requires passing Origin headers to cache-bust any CORS resource. Having to keep track of every Origin header that has ever appeared in a request for my CORS resource is burdensome.

The Purge File API only allows purging 30 files per request, so if 3000 sites access my resource and I want to cache-bust it I have to send 100 requests to Cloudflare’s API to cache-bust a single file and include 3000 different origin headers across those 100 requests. Also, Cloudflare rate-limits API requests to 4 per second so I can’t even send all the requests at once but have to implement some chunking and delaying strategy.

All of the above effort just to cache-bust A SINGLE FILE. It just seems crazy. There has to be some API call that allows me to cache-bust a resource for all Origins.

It is. It would be very useful if you could remove Origin as part of the cache key via a page rule at least. In lots of cases (I assume for you as well) the origin server is delivering the same asset regardless of the Origin, but the load on the origin is 3,000 times greater than it needs to be.

Unfortunately most of the solutions I can think of require Enterprise, such as Purge by Tag, Purge by Path, custom cache keys etc.

The only remaining thing I can think of is to use a Worker to modify the requests so that they all match the same cached asset, and then perhaps add appropriate CORS response headers on the way out. This will be a paid per request feature, so depending on your volume it might be a solution for you.

Yes, it would be, but it shouldn’t even require a Page Rule in the first place. If a server returns the header Access-Control-Allow-Origin: * or intentionally omits the header Vary: Origin that should already be enough information for Cloudflare to understand that the resource is identical regardless of which Origin is requesting the resource.

If someone from the Cloudflare Dev or Project Management teams stumbles across this comment please fix the bug of your CDN servers ignoring Vary headers in their caching decisions. I was very surprised to read from this support page that:

Cloudflare doesn’t consider vary values when making caching decisions.

That’s not a feature that is a bug, and it makes use-cases like mine, which are not at all uncommon, very frustrating.

If a server omits Vary: Origin or includes Access-Control-Allow-Origin: * do not use the Origin header as part of the default cache key, or otherwise add an option to the Purge File by URL API where I can specify the file should be purged for all origins.