[apisix] branch master updated: feat: `Vary` needs to be used when Access-Control-Allow-Origin is not '*' (#2046)

Tue, 11 Aug 2020 18:13:45 -0700 

This is an automated email from the ASF dual-hosted git repository.

membphis pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git


The following commit(s) were added to refs/heads/master by this push:
     new 149a66a  feat: `Vary` needs to be used when 
Access-Control-Allow-Origin is not '*' (#2046)
149a66a is described below

commit 149a66ad409e5b9be702c0887eee30a9dafe0424
Author: 罗泽轩 <[email protected]>
AuthorDate: Wed Aug 12 09:12:58 2020 +0800

    feat: `Vary` needs to be used when Access-Control-Allow-Origin is not '*' 
(#2046)
    
    See https://fetch.spec.whatwg.org/#cors-protocol-and-http-caches.
---
 apisix/plugins/cors.lua | 4 ++++
 t/plugin/cors.t         | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/apisix/plugins/cors.lua b/apisix/plugins/cors.lua
index bb9ec90..1cc4ec0 100644
--- a/apisix/plugins/cors.lua
+++ b/apisix/plugins/cors.lua
@@ -128,6 +128,10 @@ local function set_cors_headers(conf, ctx)
     end
 
     core.response.set_header("Access-Control-Allow-Origin", 
ctx.cors_allow_origins)
+    if ctx.cors_allow_origins ~= "*" then
+        core.response.set_header("Vary", "Origin")
+    end
+
     core.response.set_header("Access-Control-Allow-Methods", allow_methods)
     core.response.set_header("Access-Control-Max-Age", conf.max_age)
     core.response.set_header("Access-Control-Expose-Headers", 
conf.expose_headers)
diff --git a/t/plugin/cors.t b/t/plugin/cors.t
index aa61f72..4b0b6b1 100644
--- a/t/plugin/cors.t
+++ b/t/plugin/cors.t
@@ -244,6 +244,7 @@ GET /hello HTTP/1.1
 hello world
 --- response_headers
 Access-Control-Allow-Origin: *
+Vary:
 Access-Control-Allow-Methods: *
 Access-Control-Allow-Headers: *
 Access-Control-Expose-Headers: *
@@ -306,6 +307,7 @@ Origin: http://sub2.domain.com
 hello world
 --- response_headers
 Access-Control-Allow-Origin: http://sub2.domain.com
+Vary: Origin
 Access-Control-Allow-Methods: GET,POST
 Access-Control-Allow-Headers: headr1,headr2
 Access-Control-Expose-Headers: ex-headr1,ex-headr2
@@ -389,6 +391,7 @@ Access-Control-Request-Headers: req-header1,req-header2
 hello world
 --- response_headers
 Access-Control-Allow-Origin: https://sub.domain.com
+Vary: Origin
 Access-Control-Allow-Methods: 
GET,POST,PUT,DELETE,PATCH,HEAD,OPTIONS,CONNECT,TRACE
 Access-Control-Allow-Headers: req-header1,req-header2
 Access-Control-Expose-Headers: *

Reply via email to