Vary header should include Origin header when cors is enabled #533
Description
Search for duplicate issues
- I already searched, and this issue is not a duplicate.
Issue scope
Other (specify below)
Describe the bug
The package using CORS should also modify the Vary header to include the Origin header as the response changes based on the Origin header. For example:
~
❯ curl 'https://static.learnfeliz.com/objects/suburban/House.glb' \
-H 'sec-ch-ua-platform: "Android"' \
-H 'Origin: xyz.com' \
-H 'Referer: http://localhost:5173/' \
-H 'User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Mobile Safari/537.36' \
-H 'sec-ch-ua: "Not A(Brand";v="8", "Chromium";v="132", "Google Chrome";v="132"' \
-H 'DNT: 1' \
-H 'sec-ch-ua-mobile: ?1' -IL
HTTP/2 200
date: Sat, 22 Mar 2025 17:37:43 GMT
content-type: model/gltf-binary
content-length: 28748
accept-ranges: bytes
access-control-allow-headers: content-type, authorization, origin
access-control-allow-methods: GET, HEAD, OPTIONS
access-control-allow-origin: xyz.com
access-control-expose-headers: content-type, origin
cache-control: public, max-age=604800, s-maxage=604800, stale-while-revalidate=432000
content-security-policy: frame-ancestors 'self'
last-modified: Sun, 02 Feb 2025 16:07:36 GMT
strict-transport-security: max-age=63072000; includeSubDomains; preload
vary: accept-encoding
x-content-type-options: nosniff
x-frame-options: DENY
cf-cache-status: MISS
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3dPHn1b5FUB3FryKKdHEGPWgIlB94RQFcRekCKH4JD8g1wYsGH9cUdzMkFH2%2BvdDD%2BE2GxVqlnTZDDMVYmpOj8Nk84Ou%2B3oXo8yD%2FOsXWHDbZtvgvkHerMlegZoRMYWlZsbnsOdOFSTmkrdTaGj30kEoyK8%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 92477567284ffe9f-AMS
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=6188&min_rtt=6057&rtt_var=1351&sent=6&recv=8&lost=0&retrans=0&sent_bytes=3433&recv_bytes=1020&delivery_rate=650056&cwnd=253&unsent_bytes=0&cid=3f4c0868dbf530e1&ts=56&x=0"
~
❯ curl 'https://static.learnfeliz.com/objects/suburban/House.glb' \
-H 'sec-ch-ua-platform: "Android"' \
-H 'Referer: http://localhost:5173/' \
-H 'User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Mobile Safari/537.36' \
-H 'sec-ch-ua: "Not A(Brand";v="8", "Chromium";v="132", "Google Chrome";v="132"' \
-H 'DNT: 1' \
-H 'sec-ch-ua-mobile: ?1' -IL
HTTP/2 200
date: Sat, 22 Mar 2025 17:37:52 GMT
content-type: model/gltf-binary
~
❯ curl 'https://static.learnfeliz.com/objects/suburban/House.glb' \
-H 'sec-ch-ua-platform: "Android"' \
-H 'Origin: foobar.com' \
-H 'Referer: http://localhost:5173/' \
-H 'User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Mobile Safari/537.36' \
-H 'sec-ch-ua: "Not A(Brand";v="8", "Chromium";v="132", "Google Chrome";v="132"' \
-H 'DNT: 1' \
-H 'sec-ch-ua-mobile: ?1' -IL
HTTP/2 200
date: Sat, 22 Mar 2025 17:40:56 GMT
content-type: model/gltf-binary
content-length: 28748
accept-ranges: bytes
access-control-allow-headers: content-type, authorization, origin
access-control-allow-methods: GET, HEAD, OPTIONS
access-control-allow-origin: foobar.com
access-control-expose-headers: content-type, origin
cache-control: public, max-age=604800, s-maxage=604800, stale-while-revalidate=432000
content-security-policy: frame-ancestors 'self'
last-modified: Sun, 02 Feb 2025 16:07:36 GMT
strict-transport-security: max-age=63072000; includeSubDomains; preload
vary: accept-encoding
x-content-type-options: nosniff
x-frame-options: DENY
cf-cache-status: MISS
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qHFe%2FWUKIhsriET3FdSaqP55ceC8E5j5FV3WxLGf3u8dOiav6J5XNVmTL1ELzrO4scprZHZNAbfpJmK7VZqJYFLsWog3YdK3YnC%2BE3htOJsWtjhG0B%2FNx99LZfkT5Orn%2FzResxE42AHtAPHQhVXYJROOXxY%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 92477a1ff89b0e30-AMS
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=5668&min_rtt=5277&rtt_var=2111&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3409&recv_bytes=1021&delivery_rate=519593&cwnd=180&unsent_bytes=0&cid=a3b3ea1f408503d2&ts=69&x=0"
content-length: 28748
accept-ranges: bytes
cache-control: public, max-age=604800, s-maxage=604800, stale-while-revalidate=432000
content-security-policy: frame-ancestors 'self'
last-modified: Sun, 02 Feb 2025 16:07:36 GMT
strict-transport-security: max-age=63072000; includeSubDomains; preload
vary: accept-encoding
x-content-type-options: nosniff
x-frame-options: DENY
age: 2638
cf-cache-status: HIT
report-to: {"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=UrAX3a37N5Bni6sTWHP%2BIb8f6%2F48XN3kHOdcjGexHTwYUbE1X7ebTQg%2ByLajiwl7uVVgtOrb%2FQXFxy1hFfJvwmXWhSmGqS92RDkWTAgN7VsBgy3owHV7JzQ9ZTeHjV8slVcNucLDJDN1QBOj8uY0KE%2Bxp1I%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 924775a00e171cae-AMS
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=5675&min_rtt=4501&rtt_var=1891&sent=6&recv=8&lost=0&retrans=0&sent_bytes=3411&recv_bytes=1006&delivery_rate=762874&cwnd=202&unsent_bytes=0&cid=83091922d76f1690&ts=53&x=0"
How to reproduce it
See above
Expected behavior
It should include the Origin header