util/httputil: Always add Vary header in SetCORS

Closes #15406

Signed-off-by: jub0bs <jcretel-infosec+github@protonmail.com>

util/httputil/cors.go

@@ -23,11 +23,11 @@ var corsHeaders = map[string]string{
 	"Access-Control-Allow-Headers":  "Accept, Authorization, Content-Type, Origin",
 	"Access-Control-Allow-Methods":  "GET, POST, OPTIONS",
 	"Access-Control-Expose-Headers": "Date",
-	"Vary":                          "Origin",
 }
 
-// SetCORS enables cross-site script calls.
+// SetCORS enables cross-origin script calls.
 func SetCORS(w http.ResponseWriter, o *regexp.Regexp, r *http.Request) {
+	w.Header().Add("Vary", "Origin")
 	origin := r.Header.Get("Origin")
 	if origin == "" {
 		return

util/httputil/cors_test.go

@@ -48,8 +48,10 @@ func TestCORSHandler(t *testing.T) {
 	resp, err := client.Do(req)
 	require.NoError(t, err, "client get failed with unexpected error")
 
-	AccessControlAllowOrigin := resp.Header.Get("Access-Control-Allow-Origin")
+	Vary := resp.Header.Get("Vary")
+	require.Equal(t, "Origin", Vary)
 
+	AccessControlAllowOrigin := resp.Header.Get("Access-Control-Allow-Origin")
 	require.Equal(t, dummyOrigin, AccessControlAllowOrigin, "expected Access-Control-Allow-Origin header")
 
 	// OPTIONS with bad origin
@@ -62,4 +64,20 @@ func TestCORSHandler(t *testing.T) {
 
 	AccessControlAllowOrigin = resp.Header.Get("Access-Control-Allow-Origin")
 	require.Empty(t, AccessControlAllowOrigin, "Access-Control-Allow-Origin header should not exist but it was set")
+
+	Vary = resp.Header.Get("Vary")
+	require.Equal(t, "Origin", Vary)
+
+	// OPTIONS with no origin
+	req, err = http.NewRequest(http.MethodOptions, server.URL+"/any_path", nil)
+	require.NoError(t, err)
+
+	resp, err = client.Do(req)
+	require.NoError(t, err)
+
+	Vary = resp.Header.Get("Vary")
+	require.Equal(t, "Origin", Vary)
+
+	AccessControlAllowOrigin = resp.Header.Get("Access-Control-Allow-Origin")
+	require.Empty(t, AccessControlAllowOrigin)
 }