This is an automated email from the ASF dual-hosted git repository. membphis pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push: new 149a66a feat: `Vary` needs to be used when Access-Control-Allow-Origin is not '*' (#2046) 149a66a is described below commit 149a66ad409e5b9be702c0887eee30a9dafe0424 Author: 罗泽轩 <spacewander...@gmail.com> AuthorDate: Wed Aug 12 09:12:58 2020 +0800 feat: `Vary` needs to be used when Access-Control-Allow-Origin is not '*' (#2046) See https://fetch.spec.whatwg.org/#cors-protocol-and-http-caches. --- apisix/plugins/cors.lua | 4 ++++ t/plugin/cors.t | 3 +++ 2 files changed, 7 insertions(+) diff --git a/apisix/plugins/cors.lua b/apisix/plugins/cors.lua index bb9ec90..1cc4ec0 100644 --- a/apisix/plugins/cors.lua +++ b/apisix/plugins/cors.lua @@ -128,6 +128,10 @@ local function set_cors_headers(conf, ctx) end core.response.set_header("Access-Control-Allow-Origin", ctx.cors_allow_origins) + if ctx.cors_allow_origins ~= "*" then + core.response.set_header("Vary", "Origin") + end + core.response.set_header("Access-Control-Allow-Methods", allow_methods) core.response.set_header("Access-Control-Max-Age", conf.max_age) core.response.set_header("Access-Control-Expose-Headers", conf.expose_headers) diff --git a/t/plugin/cors.t b/t/plugin/cors.t index aa61f72..4b0b6b1 100644 --- a/t/plugin/cors.t +++ b/t/plugin/cors.t @@ -244,6 +244,7 @@ GET /hello HTTP/1.1 hello world --- response_headers Access-Control-Allow-Origin: * +Vary: Access-Control-Allow-Methods: * Access-Control-Allow-Headers: * Access-Control-Expose-Headers: * @@ -306,6 +307,7 @@ Origin: http://sub2.domain.com hello world --- response_headers Access-Control-Allow-Origin: http://sub2.domain.com +Vary: Origin Access-Control-Allow-Methods: GET,POST Access-Control-Allow-Headers: headr1,headr2 Access-Control-Expose-Headers: ex-headr1,ex-headr2 @@ -389,6 +391,7 @@ Access-Control-Request-Headers: req-header1,req-header2 hello world --- response_headers Access-Control-Allow-Origin: https://sub.domain.com +Vary: Origin Access-Control-Allow-Methods: GET,POST,PUT,DELETE,PATCH,HEAD,OPTIONS,CONNECT,TRACE Access-Control-Allow-Headers: req-header1,req-header2 Access-Control-Expose-Headers: *