Setting header "Vary: Origin" only if the "Access-Control-Allow-Origin"-header is dynamic.

nepomuc · marianaballa · commit 1f61df77beb3 · 2020-11-05T14:33:18.000+01:00
diff --git a/public_html/lists/index.php b/public_html/lists/index.php
@@ -54,7 +54,9 @@
 
 $I18N = new phplist_I18N();
 header('Access-Control-Allow-Origin: '.ACCESS_CONTROL_ALLOW_ORIGIN);
-header('Vary: Origin'); // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#CORS_and_caching
+if (defined('ACCESS_CONTROL_ALLOW_ORIGINS') && count('ACCESS_CONTROL_ALLOW_ORIGINS') > 1) {
+    header('Vary: Origin'); // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#CORS_and_caching
+}
 
 if (!empty($GLOBALS['SessionTableName'])) {
     require_once dirname(__FILE__).'/admin/sessionlib.php';
