You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by sp...@apache.org on 2023/03/16 01:17:46 UTC

[apisix] branch master updated: fix: Non wildcard origin in CORS should sent Vary header (#9010)

This is an automated email from the ASF dual-hosted git repository.

spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git


The following commit(s) were added to refs/heads/master by this push:
     new e41cf45de fix: Non wildcard origin in CORS should sent Vary header (#9010)
e41cf45de is described below

commit e41cf45debd885a739840a651b6b7c5c5b7d6258
Author: Warnar Boekkooi <88...@users.noreply.github.com>
AuthorDate: Thu Mar 16 02:17:36 2023 +0100

    fix: Non wildcard origin in CORS should sent Vary header (#9010)
---
 apisix/plugins/cors.lua | 7 +++----
 t/plugin/cors3.t        | 4 ++--
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/apisix/plugins/cors.lua b/apisix/plugins/cors.lua
index f0d911f5d..8e2a468aa 100644
--- a/apisix/plugins/cors.lua
+++ b/apisix/plugins/cors.lua
@@ -190,10 +190,6 @@ local function set_cors_headers(conf, ctx)
     end
 
     core.response.set_header("Access-Control-Allow-Origin", ctx.cors_allow_origins)
-    if ctx.cors_allow_origins ~= "*" then
-        core.response.add_header("Vary", "Origin")
-    end
-
     core.response.set_header("Access-Control-Allow-Methods", allow_methods)
     core.response.set_header("Access-Control-Max-Age", conf.max_age)
     core.response.set_header("Access-Control-Expose-Headers", conf.expose_headers)
@@ -308,6 +304,9 @@ function _M.header_filter(conf, ctx)
                 conf.allow_origins_by_metadata, ctx, req_origin
         )
     end
+    if conf.allow_origins ~= "*" then
+        core.response.add_header("Vary", "Origin")
+    end
     if allow_origins then
         ctx.cors_allow_origins = allow_origins
         set_cors_headers(conf, ctx)
diff --git a/t/plugin/cors3.t b/t/plugin/cors3.t
index 92210a1a3..ae68dec3f 100644
--- a/t/plugin/cors3.t
+++ b/t/plugin/cors3.t
@@ -163,7 +163,7 @@ Origin: http://foo.example.org
 hello world
 --- response_headers
 Access-Control-Allow-Origin:
-Vary:
+Vary: Origin
 Access-Control-Allow-Methods:
 Access-Control-Allow-Headers:
 Access-Control-Expose-Headers:
@@ -254,7 +254,7 @@ Origin: http://foo.example.org
 hello world
 --- response_headers
 Access-Control-Allow-Origin:
-Vary:
+Vary: Origin
 Access-Control-Allow-Methods:
 Access-Control-Allow-Headers:
 Access-Control-Expose-Headers: