cors: Include `Vary: Origin` when using the request's Origin

Otherwise, multiple frontends attempting to use the same data may get denials because the browser served a cached response from when it used a different origin. Change-Id: I6ec8b8ceb8c6a58e74772e57e6fe5700f6ff8db1
author: Tim Burke <tim.burke@gmail.com> 2022-03-09 22:18:49 -0800
committer: Tim Burke <tim.burke@gmail.com> 2022-03-09 22:18:55 -0800
commit: bab7f93223ae5c4721ba8a224cc12ec05bcac8bf (patch)
tree: 08d14d87162b5257abee10644461fd294977e88f /test/unit/proxy
parent: 3ff3076ce6648937993e90334b7a9f532b06806c (diff)
download: swift-bab7f93223ae5c4721ba8a224cc12ec05bcac8bf.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/test/unit/proxy/test_server.py b/test/unit/proxy/test_server.py
index 4249c41c2..5158a09cc 100644
--- a/test/unit/proxy/test_server.py
+++ b/test/unit/proxy/test_server.py
@@ -6484,6 +6484,7 @@ class TestReplicatedObjectController(
         self.assertEqual(200, resp.status_int)
         self.assertEqual('http://foo.bar',
                          resp.headers['access-control-allow-origin'])
+        self.assertEqual('Origin', resp.headers['vary'])
         self.assertEqual('red', resp.headers['x-object-meta-color'])
         # X-Super-Secret is in the response, but not "exposed"
         self.assertEqual('hush', resp.headers['x-super-secret'])
@@ -6506,6 +6507,7 @@ class TestReplicatedObjectController(
         self.assertEqual(200, resp.status_int)
         self.assertEqual('*',
                          resp.headers['access-control-allow-origin'])
+        self.assertNotIn('vary', resp.headers)
 
         # test allow_origin empty
         container_cors = {'allow_origin': ''}
@@ -6514,6 +6516,7 @@ class TestReplicatedObjectController(
         self.assertEqual(200, resp.status_int)
         self.assertEqual('http://foo.bar',
                          resp.headers['access-control-allow-origin'])
+        self.assertEqual('Origin', resp.headers['vary'])
 
     def test_CORS_valid_strict(self):
         # test expose_headers to non-allowed origins
@@ -6535,6 +6538,7 @@ class TestReplicatedObjectController(
         self.assertEqual(200, resp.status_int)
         self.assertEqual('*',
                          resp.headers['access-control-allow-origin'])
+        self.assertNotIn('vary', resp.headers)
         self.assertEqual('red', resp.headers['x-object-meta-color'])
         # X-Super-Secret is in the response, but not "exposed"
         self.assertEqual('hush', resp.headers['x-super-secret'])
@@ -6554,6 +6558,7 @@ class TestReplicatedObjectController(
             container_cors=container_cors, strict_mode=True)
         self.assertNotIn('access-control-expose-headers', resp.headers)
         self.assertNotIn('access-control-allow-origin', resp.headers)
+        self.assertNotIn('vary', resp.headers)
 
         # test proxy server cors_allow_origin option
         self.app.cors_allow_origin = ['http://foo.bar']
@@ -6561,6 +6566,7 @@ class TestReplicatedObjectController(
             container_cors=container_cors, strict_mode=True)
         self.assertEqual('http://foo.bar',
                          resp.headers['access-control-allow-origin'])
+        self.assertEqual('Origin', resp.headers['vary'])
         self.assertEqual(expected_exposed, exposed)
 
     def test_CORS_valid_with_obj_headers(self):
author	Tim Burke <tim.burke@gmail.com>	2022-03-09 22:18:49 -0800
committer	Tim Burke <tim.burke@gmail.com>	2022-03-09 22:18:55 -0800
commit	bab7f93223ae5c4721ba8a224cc12ec05bcac8bf (patch)
tree	08d14d87162b5257abee10644461fd294977e88f /test/unit/proxy
parent	3ff3076ce6648937993e90334b7a9f532b06806c (diff)
download	swift-bab7f93223ae5c4721ba8a224cc12ec05bcac8bf.tar.gz