S3: Add `Vary` header for non-wildcard AllowOrigin (#7547)

2 files changed, 6 insertions, 0 deletions

diff --git a/weed/s3api/cors/cors.go b/weed/s3api/cors/cors.go
index d6eb520af..ac9e7cca3 100644
--- a/weed/s3api/cors/cors.go
+++ b/weed/s3api/cors/cors.go
@@ -361,6 +361,10 @@ func ApplyHeaders(w http.ResponseWriter, corsResp *CORSResponse) {
 
 	if corsResp.AllowOrigin != "" {
 		w.Header().Set("Access-Control-Allow-Origin", corsResp.AllowOrigin)
+
+		if corsResp.AllowOrigin != "*" {
+			w.Header().Add("Vary", "Origin")
+		}
 	}
 
 	if corsResp.AllowMethods != "" {
diff --git a/weed/s3api/cors/cors_test.go b/weed/s3api/cors/cors_test.go
index 1b5c54028..8494a284d 100644
--- a/weed/s3api/cors/cors_test.go
+++ b/weed/s3api/cors/cors_test.go
@@ -480,6 +480,7 @@ func TestApplyHeaders(t *testing.T) {
 				"Access-Control-Allow-Headers":  "Content-Type",
 				"Access-Control-Expose-Headers": "ETag",
 				"Access-Control-Max-Age":        "3600",
+				"Vary":        					 "Origin",
 			},
 		},
 		{
@@ -493,6 +494,7 @@ func TestApplyHeaders(t *testing.T) {
 				"Access-Control-Allow-Origin":      "http://example.com",
 				"Access-Control-Allow-Methods":     "GET",
 				"Access-Control-Allow-Credentials": "true",
+				"Vary":        					    "Origin",
 			},
 		},
 	}