You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by sp...@apache.org on 2023/03/16 01:17:46 UTC
[apisix] branch master updated: fix: Non wildcard origin in CORS should sent Vary header (#9010)
This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new e41cf45de fix: Non wildcard origin in CORS should sent Vary header (#9010)
e41cf45de is described below
commit e41cf45debd885a739840a651b6b7c5c5b7d6258
Author: Warnar Boekkooi <88...@users.noreply.github.com>
AuthorDate: Thu Mar 16 02:17:36 2023 +0100
fix: Non wildcard origin in CORS should sent Vary header (#9010)
---
apisix/plugins/cors.lua | 7 +++----
t/plugin/cors3.t | 4 ++--
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/apisix/plugins/cors.lua b/apisix/plugins/cors.lua
index f0d911f5d..8e2a468aa 100644
--- a/apisix/plugins/cors.lua
+++ b/apisix/plugins/cors.lua
@@ -190,10 +190,6 @@ local function set_cors_headers(conf, ctx)
end
core.response.set_header("Access-Control-Allow-Origin", ctx.cors_allow_origins)
- if ctx.cors_allow_origins ~= "*" then
- core.response.add_header("Vary", "Origin")
- end
-
core.response.set_header("Access-Control-Allow-Methods", allow_methods)
core.response.set_header("Access-Control-Max-Age", conf.max_age)
core.response.set_header("Access-Control-Expose-Headers", conf.expose_headers)
@@ -308,6 +304,9 @@ function _M.header_filter(conf, ctx)
conf.allow_origins_by_metadata, ctx, req_origin
)
end
+ if conf.allow_origins ~= "*" then
+ core.response.add_header("Vary", "Origin")
+ end
if allow_origins then
ctx.cors_allow_origins = allow_origins
set_cors_headers(conf, ctx)
diff --git a/t/plugin/cors3.t b/t/plugin/cors3.t
index 92210a1a3..ae68dec3f 100644
--- a/t/plugin/cors3.t
+++ b/t/plugin/cors3.t
@@ -163,7 +163,7 @@ Origin: http://foo.example.org
hello world
--- response_headers
Access-Control-Allow-Origin:
-Vary:
+Vary: Origin
Access-Control-Allow-Methods:
Access-Control-Allow-Headers:
Access-Control-Expose-Headers:
@@ -254,7 +254,7 @@ Origin: http://foo.example.org
hello world
--- response_headers
Access-Control-Allow-Origin:
-Vary:
+Vary: Origin
Access-Control-Allow-Methods:
Access-Control-Allow-Headers:
Access-Control-Expose-Headers: