batman-ezio commented on a change in pull request #3839:
URL: https://github.com/apache/apisix/pull/3839#discussion_r597353916
##########
File path: apisix/plugins/cors.lua
##########
@@ -133,7 +157,7 @@ local function set_cors_headers(conf, ctx)
end
core.response.set_header("Access-Control-Allow-Origin",
ctx.cors_allow_origins)
- if ctx.cors_allow_origins ~= "*" then
+ if ctx.cors_allow_origins ~= "*" or conf.allow_origins_by_regex ~= nil then
Review comment:
if allow_origins_by_regex is matched, the cors_allow_origins will be
the matched domain. not `*`
for example. it we use `[".*.test.com"]` and the request is from a.test.com
then the cors_allow_origins will set to `a.test.com`. not `*`
`conf.allow_origins_by_regex ~= nil` means we use regex to match many
domains.
the Vary must set as `Origin `
f a request may contain a Access-Control-Allow-Origin with different values,
then the CDN should always respond with Vary: Origin,
check
https://stackoverflow.com/questions/25329405/why-isnt-vary-origin-response-set-on-a-cors-miss
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
