From 16cb0f981aefdfd66b2c35e4d10952d9fcb63ac5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=B2=92=E7=B2=92=E6=A9=99?= <i@llc.moe>
Date: Tue, 25 Nov 2025 16:28:15 +0800
Subject: [PATCH] Add `Vary` header for non-wildcard AllowOrigin

---
 weed/s3api/cors/cors.go      | 4 ++++
 weed/s3api/cors/cors_test.go | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/weed/s3api/cors/cors.go b/weed/s3api/cors/cors.go
index d6eb520af..ac9e7cca3 100644
--- a/weed/s3api/cors/cors.go
+++ b/weed/s3api/cors/cors.go
@@ -361,6 +361,10 @@ func ApplyHeaders(w http.ResponseWriter, corsResp *CORSResponse) {
 
 	if corsResp.AllowOrigin != "" {
 		w.Header().Set("Access-Control-Allow-Origin", corsResp.AllowOrigin)
+
+		if corsResp.AllowOrigin != "*" {
+			w.Header().Add("Vary", "Origin")
+		}
 	}
 
 	if corsResp.AllowMethods != "" {
diff --git a/weed/s3api/cors/cors_test.go b/weed/s3api/cors/cors_test.go
index 1b5c54028..8494a284d 100644
--- a/weed/s3api/cors/cors_test.go
+++ b/weed/s3api/cors/cors_test.go
@@ -480,6 +480,7 @@ func TestApplyHeaders(t *testing.T) {
 				"Access-Control-Allow-Headers":  "Content-Type",
 				"Access-Control-Expose-Headers": "ETag",
 				"Access-Control-Max-Age":        "3600",
+				"Vary":        					 "Origin",
 			},
 		},
 		{
@@ -493,6 +494,7 @@ func TestApplyHeaders(t *testing.T) {
 				"Access-Control-Allow-Origin":      "http://example.com",
 				"Access-Control-Allow-Methods":     "GET",
 				"Access-Control-Allow-Credentials": "true",
+				"Vary":        					    "Origin",
 			},
 		},
 	}