diff --git a/util/httputil/cors.go b/util/httputil/cors.go index 7e0dac7871..2d4cc91ccb 100644 --- a/util/httputil/cors.go +++ b/util/httputil/cors.go @@ -23,11 +23,11 @@ var corsHeaders = map[string]string{ "Access-Control-Allow-Headers": "Accept, Authorization, Content-Type, Origin", "Access-Control-Allow-Methods": "GET, POST, OPTIONS", "Access-Control-Expose-Headers": "Date", - "Vary": "Origin", } -// SetCORS enables cross-site script calls. +// SetCORS enables cross-origin script calls. func SetCORS(w http.ResponseWriter, o *regexp.Regexp, r *http.Request) { + w.Header().Add("Vary", "Origin") origin := r.Header.Get("Origin") if origin == "" { return diff --git a/util/httputil/cors_test.go b/util/httputil/cors_test.go index 657443ece0..30567947a9 100644 --- a/util/httputil/cors_test.go +++ b/util/httputil/cors_test.go @@ -48,8 +48,10 @@ func TestCORSHandler(t *testing.T) { resp, err := client.Do(req) require.NoError(t, err, "client get failed with unexpected error") - AccessControlAllowOrigin := resp.Header.Get("Access-Control-Allow-Origin") + Vary := resp.Header.Get("Vary") + require.Equal(t, "Origin", Vary) + AccessControlAllowOrigin := resp.Header.Get("Access-Control-Allow-Origin") require.Equal(t, dummyOrigin, AccessControlAllowOrigin, "expected Access-Control-Allow-Origin header") // OPTIONS with bad origin @@ -62,4 +64,20 @@ func TestCORSHandler(t *testing.T) { AccessControlAllowOrigin = resp.Header.Get("Access-Control-Allow-Origin") require.Empty(t, AccessControlAllowOrigin, "Access-Control-Allow-Origin header should not exist but it was set") + + Vary = resp.Header.Get("Vary") + require.Equal(t, "Origin", Vary) + + // OPTIONS with no origin + req, err = http.NewRequest(http.MethodOptions, server.URL+"/any_path", nil) + require.NoError(t, err) + + resp, err = client.Do(req) + require.NoError(t, err) + + Vary = resp.Header.Get("Vary") + require.Equal(t, "Origin", Vary) + + AccessControlAllowOrigin = resp.Header.Get("Access-Control-Allow-Origin") + require.Empty(t, AccessControlAllowOrigin) }