cors: Include Vary: Origin when using the request's Origin

Otherwise, multiple frontends attempting to use the same data may get denials because the browser served a cached response from when it used a different origin. Change-Id: I6ec8b8ceb8c6a58e74772e57e6fe5700f6ff8db1
2022-03-09 22:18:49 -08:00 · 2022-03-09 22:18:49 -08:00 · bab7f93223
commit bab7f93223
parent 3ff3076ce6
2 changed files with 10 additions and 0 deletions
--- a/swift/proxy/controllers/base.py
+++ b/swift/proxy/controllers/base.py
@ -377,6 +377,10 @@ def cors_validation(func):
                    resp.headers['Access-Control-Allow-Origin'] = '*'
                else:
                    resp.headers['Access-Control-Allow-Origin'] = req_origin
+                    if 'Vary' in resp.headers:
+                        resp.headers['Vary'] += ', Origin'
+                    else:
+                        resp.headers['Vary'] = 'Origin'

            return resp
        else:
--- a/test/unit/proxy/test_server.py
+++ b/test/unit/proxy/test_server.py
@ -6484,6 +6484,7 @@ class TestReplicatedObjectController(
        self.assertEqual(200, resp.status_int)
        self.assertEqual('http://foo.bar',
                         resp.headers['access-control-allow-origin'])
+        self.assertEqual('Origin', resp.headers['vary'])
        self.assertEqual('red', resp.headers['x-object-meta-color'])
        # X-Super-Secret is in the response, but not "exposed"
        self.assertEqual('hush', resp.headers['x-super-secret'])
@ -6506,6 +6507,7 @@ class TestReplicatedObjectController(
        self.assertEqual(200, resp.status_int)
        self.assertEqual('*',
                         resp.headers['access-control-allow-origin'])
+        self.assertNotIn('vary', resp.headers)

        # test allow_origin empty
        container_cors = {'allow_origin': ''}
@ -6514,6 +6516,7 @@ class TestReplicatedObjectController(
        self.assertEqual(200, resp.status_int)
        self.assertEqual('http://foo.bar',
                         resp.headers['access-control-allow-origin'])
+        self.assertEqual('Origin', resp.headers['vary'])

    def test_CORS_valid_strict(self):
        # test expose_headers to non-allowed origins
@ -6535,6 +6538,7 @@ class TestReplicatedObjectController(
        self.assertEqual(200, resp.status_int)
        self.assertEqual('*',
                         resp.headers['access-control-allow-origin'])
+        self.assertNotIn('vary', resp.headers)
        self.assertEqual('red', resp.headers['x-object-meta-color'])
        # X-Super-Secret is in the response, but not "exposed"
        self.assertEqual('hush', resp.headers['x-super-secret'])
@ -6554,6 +6558,7 @@ class TestReplicatedObjectController(
            container_cors=container_cors, strict_mode=True)
        self.assertNotIn('access-control-expose-headers', resp.headers)
        self.assertNotIn('access-control-allow-origin', resp.headers)
+        self.assertNotIn('vary', resp.headers)

        # test proxy server cors_allow_origin option
        self.app.cors_allow_origin = ['http://foo.bar']
@ -6561,6 +6566,7 @@ class TestReplicatedObjectController(
            container_cors=container_cors, strict_mode=True)
        self.assertEqual('http://foo.bar',
                         resp.headers['access-control-allow-origin'])
+        self.assertEqual('Origin', resp.headers['vary'])
        self.assertEqual(expected_exposed, exposed)

    def test_CORS_valid_with_obj_headers(self):