Add Vary header to preflight response if allow_credentials

jcwilson · Dec 11, 2020 · f3ab6a6 · f3ab6a6
1 parent bceab59
commit f3ab6a6
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/starlette/middleware/cors.py b/starlette/middleware/cors.py
@@ -41,6 +41,8 @@ def __init__(
         preflight_headers = {}
         if "*" in allow_origins:
             preflight_headers["Access-Control-Allow-Origin"] = "*"
+            if allow_credentials:
+                preflight_headers["Vary"] = "Origin"
         else:
             preflight_headers["Vary"] = "Origin"
         preflight_headers.update(

diff --git a/tests/middleware/test_cors.py b/tests/middleware/test_cors.py
@@ -34,6 +34,7 @@ def homepage(request):
     assert response.headers["access-control-allow-origin"] == "https://example.org"
     assert response.headers["access-control-allow-headers"] == "X-Example"
     assert response.headers["access-control-allow-credentials"] == "true"
+    assert response.headers["vary"] == "Origin"
 
     # Test standard response
     headers = {"Origin": "https://example.org"}
@@ -89,6 +90,7 @@ def homepage(request):
     assert response.headers["access-control-allow-origin"] == "*"
     assert response.headers["access-control-allow-headers"] == "X-Example"
     assert "access-control-allow-credentials" not in response.headers
+    assert "vary" not in response.headers
 
     # Test standard response
     headers = {"Origin": "https://example.org"}
@@ -206,6 +208,7 @@ def homepage(request):
     assert response.status_code == 200
     assert response.headers["access-control-allow-origin"] == "https://example.org"
     assert response.headers["access-control-allow-credentials"] == "true"
+    assert response.headers["vary"] == "Origin"
 
 
 def test_cors_allow_origin_regex():