Add `Vary` header for non-wildcard AllowOrigin

1 week ago · 16cb0f981a
2 changed files with 6 additions and 0 deletions
--- a/weed/s3api/cors/cors.go
+++ b/weed/s3api/cors/cors.go
@ -361,6 +361,10 @@ func ApplyHeaders(w http.ResponseWriter, corsResp *CORSResponse) {

 	if corsResp.AllowOrigin != "" {
 		w.Header().Set("Access-Control-Allow-Origin", corsResp.AllowOrigin)
+
+		if corsResp.AllowOrigin != "*" {
+			w.Header().Add("Vary", "Origin")
+		}
 	}

 	if corsResp.AllowMethods != "" {
--- a/weed/s3api/cors/cors_test.go
+++ b/weed/s3api/cors/cors_test.go
@ -480,6 +480,7 @@ func TestApplyHeaders(t *testing.T) {
 				"Access-Control-Allow-Headers":  "Content-Type",
 				"Access-Control-Expose-Headers": "ETag",
 				"Access-Control-Max-Age":        "3600",
+				"Vary":        					 "Origin",
 			},
 		},
 		{
@ -493,6 +494,7 @@ func TestApplyHeaders(t *testing.T) {
 				"Access-Control-Allow-Origin":      "http://example.com",
 				"Access-Control-Allow-Methods":     "GET",
 				"Access-Control-Allow-Credentials": "true",
+				"Vary":        					    "Origin",
 			},
 		},
 	}