From 95bebd943fbe50401128594c75b6ef0213544c43 Mon Sep 17 00:00:00 2001 From: "Barry vd. Heuvel" Date: Thu, 13 Mar 2025 13:59:54 +0100 Subject: [PATCH 1/2] Check multiple Vary headers when existing --- src/CorsService.php | 11 +++++++++-- tests/CorsTest.php | 28 +++++++++++++++++++++++++++- tests/MockApp.php | 4 ++-- 3 files changed, 38 insertions(+), 5 deletions(-) diff --git a/src/CorsService.php b/src/CorsService.php index 35a3f73..69f80c8 100644 --- a/src/CorsService.php +++ b/src/CorsService.php @@ -276,8 +276,15 @@ public function varyHeader(Response $response, string $header): Response { if (!$response->headers->has('Vary')) { $response->headers->set('Vary', $header); - } elseif (!in_array($header, explode(', ', (string) $response->headers->get('Vary')))) { - $response->headers->set('Vary', ((string) $response->headers->get('Vary')) . ', ' . $header); + } else { + $varyHeaders = $response->getVary(); + if (!in_array($header, $varyHeaders, true)) { + if (count($response->headers->all('Vary')) === 1) { + $response->headers->set('Vary', ((string)$response->headers->get('Vary')) . ', ' . $header); + } else { + $response->headers->set('Vary', $header, false); + } + } } return $response; diff --git a/tests/CorsTest.php b/tests/CorsTest.php index 8838a32..07f82f8 100644 --- a/tests/CorsTest.php +++ b/tests/CorsTest.php @@ -274,6 +274,32 @@ public function itAppendsAnExistingVaryHeader(): void $this->assertEquals('Content-Type, Origin', $response->headers->get('Vary')); } + /** + * @test + * @see http://www.w3.org/TR/cors/index.html#resource-implementation + */ + public function itAppendsMultipleExistingVaryHeaders(): void + { + $app = $this->createStackedApp( + array( + 'allowedOrigins' => ['*'], + 'supportsCredentials' => true, + ), + array( + 'Vary' => [ + 'Content-Type', + 'Referer', + ], + ) + ); + $request = $this->createValidActualRequest(); + + $response = $app->handle($request); + + $this->assertCount(3, $response->headers->all('Vary')); + $this->assertEquals(['Content-Type', 'Referer', 'Origin'], $response->headers->all('Vary')); + } + /** * @test */ @@ -555,7 +581,7 @@ private function createValidPreflightRequest(): Request /** * @param CorsInputOptions $options - * @param string[] $responseHeaders + * @param array|string> $responseHeaders * @return MockApp */ private function createStackedApp(array $options = array(), array $responseHeaders = array()): MockApp diff --git a/tests/MockApp.php b/tests/MockApp.php index 79e4ff3..e506a00 100644 --- a/tests/MockApp.php +++ b/tests/MockApp.php @@ -21,7 +21,7 @@ */ class MockApp { - /** @var string[] */ + /** @var array|string> */ private $responseHeaders; /** @@ -30,7 +30,7 @@ class MockApp private $cors; /** - * @param string[] $responseHeaders + * @param array|string> $responseHeaders * @param CorsInputOptions $options */ public function __construct(array $responseHeaders, array $options = []) From 69714b598c5cc36ad95efe2db214327b81d53ff5 Mon Sep 17 00:00:00 2001 From: "Barry vd. Heuvel" Date: Thu, 13 Mar 2025 14:05:12 +0100 Subject: [PATCH 2/2] Use setVary --- src/CorsService.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/CorsService.php b/src/CorsService.php index 69f80c8..43731af 100644 --- a/src/CorsService.php +++ b/src/CorsService.php @@ -280,9 +280,9 @@ public function varyHeader(Response $response, string $header): Response $varyHeaders = $response->getVary(); if (!in_array($header, $varyHeaders, true)) { if (count($response->headers->all('Vary')) === 1) { - $response->headers->set('Vary', ((string)$response->headers->get('Vary')) . ', ' . $header); + $response->setVary(((string)$response->headers->get('Vary')) . ', ' . $header); } else { - $response->headers->set('Vary', $header, false); + $response->setVary($header, false); } } }