Send "Vary: Access-Control-Request-Headers" when dynamic allowedHeaders

fixes #61
expressjs · Mar 26, 2017 · 075c4b5 · 075c4b5
1 parent 6d2ff29
commit 075c4b5
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 10 deletions.
diff --git a/lib/index.js b/lib/index.js
@@ -92,19 +92,26 @@
   }
 
   function configureAllowedHeaders(options, req) {
-    var headers = options.allowedHeaders || options.headers;
-    if (!headers) {
-      headers = req.headers['access-control-request-headers']; // .headers wasn't specified, so reflect the request headers
-    } else if (headers.join) {
-      headers = headers.join(','); // .headers is an array, so turn it into a string
+    var allowedHeaders = options.allowedHeaders || options.headers;
+    var headers = [];
+
+    if (!allowedHeaders) {
+      allowedHeaders = req.headers['access-control-request-headers']; // .headers wasn't specified, so reflect the request headers
+      headers.push([{
+        key: 'Vary',
+        value: 'Access-Control-Request-Headers'
+      }]);
+    } else if (allowedHeaders.join) {
+      allowedHeaders = allowedHeaders.join(','); // .headers is an array, so turn it into a string
     }
-    if (headers && headers.length) {
-      return {
+    if (allowedHeaders && allowedHeaders.length) {
+      headers.push([{
         key: 'Access-Control-Allow-Headers',
-        value: headers
-      };
+        value: allowedHeaders
+      }]);
     }
-    return null;
+
+    return headers;
   }
 
   function configureExposedHeaders(options) {

diff --git a/test/cors.js b/test/cors.js
@@ -504,6 +504,7 @@
         res.end = function () {
           // assert
           res.getHeader('Access-Control-Allow-Headers').should.equal('header1,header2');
+          should.not.exist(res.getHeader('Vary'));
           done();
         };
 
@@ -522,6 +523,7 @@
         next = function () {
           // assert
           should.not.exist(res.getHeader('Access-Control-Allow-Headers'));
+          should.not.exist(res.getHeader('Vary'));
           done();
         };
 
@@ -540,6 +542,8 @@
         res.end = function () {
           // assert
           res.getHeader('Access-Control-Allow-Headers').should.equal('requestedHeader1,requestedHeader2');
+          should.exist(res.getHeader('Vary'));
+          res.getHeader('Vary').should.equal('Access-Control-Request-Headers');
           done();
         };