Merge pull request #32 from fruitcake/feat-multiple-vary-headers

barryvdh · web-flow · commit cca409bfef21 · 2025-03-13T14:08:36.000+01:00
Check multiple Vary headers when existing
diff --git a/src/CorsService.php b/src/CorsService.php
@@ -276,8 +276,15 @@ public function varyHeader(Response $response, string $header): Response
     {
         if (!$response->headers->has('Vary')) {
             $response->headers->set('Vary', $header);
-        } elseif (!in_array($header, explode(', ', (string) $response->headers->get('Vary')))) {
-            $response->headers->set('Vary', ((string) $response->headers->get('Vary')) . ', ' . $header);
+        } else {
+            $varyHeaders = $response->getVary();
+            if (!in_array($header, $varyHeaders, true)) {
+                if (count($response->headers->all('Vary')) === 1) {
+                    $response->setVary(((string)$response->headers->get('Vary')) . ', ' . $header);
+                } else {
+                    $response->setVary($header, false);
+                }
+            }
         }
 
         return $response;
diff --git a/tests/CorsTest.php b/tests/CorsTest.php
@@ -274,6 +274,32 @@ public function itAppendsAnExistingVaryHeader(): void
         $this->assertEquals('Content-Type, Origin', $response->headers->get('Vary'));
     }
 
+    /**
+     * @test
+     * @see http://www.w3.org/TR/cors/index.html#resource-implementation
+     */
+    public function itAppendsMultipleExistingVaryHeaders(): void
+    {
+        $app      = $this->createStackedApp(
+            array(
+                'allowedOrigins' => ['*'],
+                'supportsCredentials' => true,
+            ),
+            array(
+                'Vary' => [
+                    'Content-Type',
+                    'Referer',
+                ],
+            )
+        );
+        $request  = $this->createValidActualRequest();
+
+        $response = $app->handle($request);
+
+        $this->assertCount(3, $response->headers->all('Vary'));
+        $this->assertEquals(['Content-Type', 'Referer', 'Origin'], $response->headers->all('Vary'));
+    }
+
     /**
      * @test
      */
@@ -555,7 +581,7 @@ private function createValidPreflightRequest(): Request
 
     /**
      * @param CorsInputOptions $options
-     * @param string[] $responseHeaders
+     * @param array<array<string>|string> $responseHeaders
      * @return MockApp
      */
     private function createStackedApp(array $options = array(), array $responseHeaders = array()): MockApp
diff --git a/tests/MockApp.php b/tests/MockApp.php
@@ -21,7 +21,7 @@
  */
 class MockApp
 {
-    /** @var string[] */
+    /** @var array<array<string>|string> */
     private $responseHeaders;
 
     /**
@@ -30,7 +30,7 @@ class MockApp
     private $cors;
 
     /**
-     * @param string[] $responseHeaders
+     * @param array<array<string>|string> $responseHeaders
      * @param CorsInputOptions $options
      */
     public function __construct(array $responseHeaders, array $options = [])
