Skip to content

Commit 4a87d3d

Browse files
sdeleuzesdeleuze
committed
Set Vary: Origin on CORS unauthorized response
Issue: SPR-16224
1 parent 652e5c5 commit 4a87d3d

File tree

4 files changed

+47
-6
lines changed

4 files changed

+47
-6
lines changed

spring-web/src/main/java/org/springframework/web/cors/DefaultCorsProcessor.java

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -119,6 +119,10 @@ protected boolean handleInternal(ServerHttpRequest request, ServerHttpResponse r
119119

120120
String requestOrigin = request.getHeaders().getOrigin();
121121
String allowOrigin = checkOrigin(config, requestOrigin);
122+
HttpHeaders responseHeaders = response.getHeaders();
123+
124+
responseHeaders.add(HttpHeaders.VARY, HttpHeaders.ORIGIN);
125+
122126
if (allowOrigin == null) {
123127
logger.debug("Rejecting CORS request because '" + requestOrigin + "' origin is not allowed");
124128
rejectRequest(response);
@@ -141,9 +145,7 @@ protected boolean handleInternal(ServerHttpRequest request, ServerHttpResponse r
141145
return false;
142146
}
143147

144-
HttpHeaders responseHeaders = response.getHeaders();
145148
responseHeaders.setAccessControlAllowOrigin(allowOrigin);
146-
responseHeaders.add(HttpHeaders.VARY, HttpHeaders.ORIGIN);
147149

148150
if (preFlightRequest) {
149151
responseHeaders.setAccessControlAllowMethods(allowMethods);

spring-web/src/main/java/org/springframework/web/cors/reactive/DefaultCorsProcessor.java

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -105,6 +105,9 @@ protected boolean handleInternal(ServerWebExchange exchange,
105105

106106
ServerHttpRequest request = exchange.getRequest();
107107
ServerHttpResponse response = exchange.getResponse();
108+
HttpHeaders responseHeaders = response.getHeaders();
109+
110+
response.getHeaders().add(HttpHeaders.VARY, HttpHeaders.ORIGIN);
108111

109112
String requestOrigin = request.getHeaders().getOrigin();
110113
String allowOrigin = checkOrigin(config, requestOrigin);
@@ -130,9 +133,7 @@ protected boolean handleInternal(ServerWebExchange exchange,
130133
return false;
131134
}
132135

133-
HttpHeaders responseHeaders = response.getHeaders();
134136
responseHeaders.setAccessControlAllowOrigin(allowOrigin);
135-
responseHeaders.add(HttpHeaders.VARY, HttpHeaders.ORIGIN);
136137

137138
if (preFlightRequest) {
138139
responseHeaders.setAccessControlAllowMethods(allowMethods);

spring-web/src/test/java/org/springframework/web/cors/DefaultCorsProcessorTests.java

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,7 @@ public void actualRequestWithOriginHeader() throws Exception {
6565

6666
this.processor.processRequest(this.conf, this.request, this.response);
6767
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
68+
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
6869
assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
6970
}
7071

@@ -89,6 +90,7 @@ public void actualRequestWithOriginHeaderAndAllowedOrigin() throws Exception {
8990
assertEquals("*", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
9091
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE));
9192
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
93+
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
9294
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
9395
}
9496

@@ -106,6 +108,7 @@ public void actualRequestCredentials() throws Exception {
106108
assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
107109
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
108110
assertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
111+
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
109112
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
110113
}
111114

@@ -121,6 +124,7 @@ public void actualRequestCredentialsWithOriginWildcard() throws Exception {
121124
assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
122125
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
123126
assertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
127+
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
124128
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
125129
}
126130

@@ -132,6 +136,7 @@ public void actualRequestCaseInsensitiveOriginMatch() throws Exception {
132136

133137
this.processor.processRequest(this.conf, this.request, this.response);
134138
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
139+
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
135140
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
136141
}
137142

@@ -149,6 +154,7 @@ public void actualRequestExposedHeaders() throws Exception {
149154
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
150155
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header1"));
151156
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header2"));
157+
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
152158
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
153159
}
154160

@@ -160,6 +166,7 @@ public void preflightRequestAllOriginsAllowed() throws Exception {
160166
this.conf.addAllowedOrigin("*");
161167

162168
this.processor.processRequest(this.conf, this.request, this.response);
169+
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
163170
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
164171
}
165172

@@ -171,6 +178,7 @@ public void preflightRequestWrongAllowedMethod() throws Exception {
171178
this.conf.addAllowedOrigin("*");
172179

173180
this.processor.processRequest(this.conf, this.request, this.response);
181+
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
174182
assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
175183
}
176184

@@ -184,6 +192,7 @@ public void preflightRequestMatchedAllowedMethod() throws Exception {
184192
this.processor.processRequest(this.conf, this.request, this.response);
185193
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
186194
assertEquals("GET,HEAD", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
195+
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
187196
}
188197

189198
@Test
@@ -193,6 +202,7 @@ public void preflightRequestTestWithOriginButWithoutOtherHeaders() throws Except
193202

194203
this.processor.processRequest(this.conf, this.request, this.response);
195204
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
205+
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
196206
assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
197207
}
198208

@@ -204,6 +214,7 @@ public void preflightRequestWithoutRequestMethod() throws Exception {
204214

205215
this.processor.processRequest(this.conf, this.request, this.response);
206216
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
217+
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
207218
assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
208219
}
209220

@@ -216,6 +227,7 @@ public void preflightRequestWithRequestAndMethodHeaderButNoConfig() throws Excep
216227

217228
this.processor.processRequest(this.conf, this.request, this.response);
218229
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
230+
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
219231
assertEquals(HttpServletResponse.SC_FORBIDDEN, this.response.getStatus());
220232
}
221233

@@ -237,6 +249,7 @@ public void preflightRequestValidRequestAndConfig() throws Exception {
237249
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
238250
assertEquals("GET,PUT", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
239251
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE));
252+
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
240253
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
241254
}
242255

@@ -257,6 +270,7 @@ public void preflightRequestCredentials() throws Exception {
257270
assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
258271
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
259272
assertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
273+
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
260274
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
261275
}
262276

@@ -275,6 +289,7 @@ public void preflightRequestCredentialsWithOriginWildcard() throws Exception {
275289
this.processor.processRequest(this.conf, this.request, this.response);
276290
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
277291
assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
292+
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
278293
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
279294
}
280295

@@ -295,6 +310,7 @@ public void preflightRequestAllowedHeaders() throws Exception {
295310
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
296311
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
297312
assertFalse(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header3"));
313+
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
298314
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
299315
}
300316

@@ -313,6 +329,7 @@ public void preflightRequestAllowsAllHeaders() throws Exception {
313329
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
314330
assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
315331
assertFalse(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("*"));
332+
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
316333
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
317334
}
318335

@@ -328,6 +345,7 @@ public void preflightRequestWithEmptyHeaders() throws Exception {
328345
this.processor.processRequest(this.conf, this.request, this.response);
329346
assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
330347
assertFalse(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS));
348+
assertEquals(HttpHeaders.ORIGIN, this.response.getHeader(HttpHeaders.VARY));
331349
assertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
332350
}
333351

spring-web/src/test/java/org/springframework/web/cors/reactive/DefaultCorsProcessorTests.java

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,7 @@ public void actualRequestWithOriginHeader() throws Exception {
6363

6464
ServerHttpResponse response = exchange.getResponse();
6565
assertFalse(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN));
66+
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
6667
assertEquals(HttpStatus.FORBIDDEN, response.getStatusCode());
6768
}
6869

@@ -87,6 +88,7 @@ public void actualRequestWithOriginHeaderAndAllowedOrigin() throws Exception {
8788
assertEquals("*", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN));
8889
assertFalse(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_MAX_AGE));
8990
assertFalse(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
91+
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
9092
assertNull(response.getStatusCode());
9193
}
9294

@@ -104,6 +106,7 @@ public void actualRequestCredentials() throws Exception {
104106
assertEquals("http://domain2.com", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN));
105107
assertTrue(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
106108
assertEquals("true", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
109+
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
107110
assertNull(response.getStatusCode());
108111
}
109112

@@ -119,6 +122,7 @@ public void actualRequestCredentialsWithOriginWildcard() throws Exception {
119122
assertEquals("http://domain2.com", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN));
120123
assertTrue(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
121124
assertEquals("true", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
125+
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
122126
assertNull(response.getStatusCode());
123127
}
124128

@@ -130,6 +134,7 @@ public void actualRequestCaseInsensitiveOriginMatch() throws Exception {
130134

131135
ServerHttpResponse response = exchange.getResponse();
132136
assertTrue(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN));
137+
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
133138
assertNull(response.getStatusCode());
134139
}
135140

@@ -147,6 +152,7 @@ public void actualRequestExposedHeaders() throws Exception {
147152
assertTrue(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS));
148153
assertTrue(response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header1"));
149154
assertTrue(response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS).contains("header2"));
155+
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
150156
assertNull(response.getStatusCode());
151157
}
152158

@@ -157,7 +163,9 @@ public void preflightRequestAllOriginsAllowed() throws Exception {
157163
this.conf.addAllowedOrigin("*");
158164
this.processor.process(this.conf, exchange);
159165

160-
assertNull(exchange.getResponse().getStatusCode());
166+
ServerHttpResponse response = exchange.getResponse();
167+
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
168+
assertNull(response.getStatusCode());
161169
}
162170

163171

@@ -168,7 +176,9 @@ public void preflightRequestWrongAllowedMethod() throws Exception {
168176
this.conf.addAllowedOrigin("*");
169177
this.processor.process(this.conf, exchange);
170178

171-
assertEquals(HttpStatus.FORBIDDEN, exchange.getResponse().getStatusCode());
179+
ServerHttpResponse response = exchange.getResponse();
180+
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
181+
assertEquals(HttpStatus.FORBIDDEN, response.getStatusCode());
172182
}
173183

174184
@Test
@@ -180,6 +190,7 @@ public void preflightRequestMatchedAllowedMethod() throws Exception {
180190

181191
ServerHttpResponse response = exchange.getResponse();
182192
assertNull(response.getStatusCode());
193+
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
183194
assertEquals("GET,HEAD", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
184195
}
185196

@@ -190,6 +201,7 @@ public void preflightRequestTestWithOriginButWithoutOtherHeaders() throws Except
190201

191202
ServerHttpResponse response = exchange.getResponse();
192203
assertFalse(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN));
204+
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
193205
assertEquals(HttpStatus.FORBIDDEN, response.getStatusCode());
194206
}
195207

@@ -201,6 +213,7 @@ public void preflightRequestWithoutRequestMethod() throws Exception {
201213

202214
ServerHttpResponse response = exchange.getResponse();
203215
assertFalse(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN));
216+
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
204217
assertEquals(HttpStatus.FORBIDDEN, response.getStatusCode());
205218
}
206219

@@ -214,6 +227,7 @@ public void preflightRequestWithRequestAndMethodHeaderButNoConfig() throws Excep
214227

215228
ServerHttpResponse response = exchange.getResponse();
216229
assertFalse(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN));
230+
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
217231
assertEquals(HttpStatus.FORBIDDEN, response.getStatusCode());
218232
}
219233

@@ -237,6 +251,7 @@ public void preflightRequestValidRequestAndConfig() throws Exception {
237251
assertTrue(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
238252
assertEquals("GET,PUT", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS));
239253
assertFalse(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_MAX_AGE));
254+
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
240255
assertNull(response.getStatusCode());
241256
}
242257

@@ -259,6 +274,7 @@ public void preflightRequestCredentials() throws Exception {
259274
assertEquals("http://domain2.com", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN));
260275
assertTrue(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
261276
assertEquals("true", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
277+
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
262278
assertNull(response.getStatusCode());
263279
}
264280

@@ -279,6 +295,7 @@ public void preflightRequestCredentialsWithOriginWildcard() throws Exception {
279295
ServerHttpResponse response = exchange.getResponse();
280296
assertTrue(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN));
281297
assertEquals("http://domain2.com", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN));
298+
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
282299
assertNull(response.getStatusCode());
283300
}
284301

@@ -301,6 +318,7 @@ public void preflightRequestAllowedHeaders() throws Exception {
301318
assertTrue(response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
302319
assertTrue(response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
303320
assertFalse(response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_HEADERS).contains("Header3"));
321+
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
304322
assertNull(response.getStatusCode());
305323
}
306324

@@ -321,6 +339,7 @@ public void preflightRequestAllowsAllHeaders() throws Exception {
321339
assertTrue(response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1"));
322340
assertTrue(response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2"));
323341
assertFalse(response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_HEADERS).contains("*"));
342+
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
324343
assertNull(response.getStatusCode());
325344
}
326345

@@ -338,6 +357,7 @@ public void preflightRequestWithEmptyHeaders() throws Exception {
338357
ServerHttpResponse response = exchange.getResponse();
339358
assertTrue(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN));
340359
assertFalse(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_HEADERS));
360+
assertEquals(HttpHeaders.ORIGIN, response.getHeaders().getFirst(HttpHeaders.VARY));
341361
assertNull(response.getStatusCode());
342362
}
343363

0 commit comments

Comments
 (0)