Issue #12 (Do not send Vary if Allowed-origin is *) had been reverted accidentally. This puts it back in place and also adds it for preflight requests.

NickMRamirez · NickMRamirez · commit 0a7214493734 · 2020-12-12T12:49:10.000-05:00
diff --git a/example/haproxy/cors.lua b/example/haproxy/cors.lua
@@ -82,6 +82,10 @@ function preflight_request_ver2(txn, origin, allowed_methods, allowed_origins, a
   else
     core.Debug("CORS: " .. origin .. " allowed")
     reply:add_header("Access-Control-Allow-Origin", allowed_origin)
+
+    if allowed_origin ~= "*" then
+      reply:add_header("Vary", "Accept-Encoding,Origin")
+    end
   end
 
   core.Debug("CORS: Returning reply to preflight request")
@@ -135,9 +139,6 @@ function cors_response(txn)
   local allowed_headers = transaction_data["allowed_headers"]
   local method = transaction_data["method"]
 
-  -- Always vary on the Origin
-  txn.http:res_add_header("Vary", "Accept-Encoding,Origin")
-
   -- Bail if client did not send an Origin
   if origin == nil or origin == '' then
     return
@@ -154,6 +155,10 @@ function cors_response(txn)
     
     core.Debug("CORS: " .. origin .. " allowed")
     txn.http:res_set_header("Access-Control-Allow-Origin", allowed_origin)
+
+    if allowed_origin ~= "*" then
+      txn.http:res_add_header("Vary", "Accept-Encoding,Origin")
+    end
   end
 end
 
diff --git a/example/web/index.js b/example/web/index.js
@@ -15,7 +15,6 @@ app.get('/', function (req, res) {
 
 // the API
 app.get('/getdata', function(req, res) {
-  res.set("Access-Control-Allow-Origin", "blah.com") // this should be overwritten by HAProxy
   res.send('Message from the server!')
 })
 
