From 258f5e925f228071809745d70ff4727c6e29f0c7 Mon Sep 17 00:00:00 2001
From: jub0bs <jcretel-infosec+github@protonmail.com>
Date: Mon, 10 Feb 2025 21:43:18 +0100
Subject: [PATCH] util/httputil: Always add Vary header in SetCORS

Closes #15406

Also, drop Origin from the Access-Control-Allow-Headers response header;
see https://fetch.spec.whatwg.org/#forbidden-request-header.

Signed-off-by: jub0bs <jcretel-infosec+github@protonmail.com>
---
 util/httputil/cors.go      |  6 +++---
 util/httputil/cors_test.go | 20 +++++++++++++++++++-
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/util/httputil/cors.go b/util/httputil/cors.go
index 7e0dac7871..035c462e74 100644
--- a/util/httputil/cors.go
+++ b/util/httputil/cors.go
@@ -20,14 +20,14 @@ import (
 )
 
 var corsHeaders = map[string]string{
-	"Access-Control-Allow-Headers":  "Accept, Authorization, Content-Type, Origin",
+	"Access-Control-Allow-Headers":  "Accept, Authorization, Content-Type",
 	"Access-Control-Allow-Methods":  "GET, POST, OPTIONS",
 	"Access-Control-Expose-Headers": "Date",
-	"Vary":                          "Origin",
 }
 
-// SetCORS enables cross-site script calls.
+// SetCORS enables cross-origin script calls.
 func SetCORS(w http.ResponseWriter, o *regexp.Regexp, r *http.Request) {
+	w.Header().Add("Vary", "Origin")
 	origin := r.Header.Get("Origin")
 	if origin == "" {
 		return
diff --git a/util/httputil/cors_test.go b/util/httputil/cors_test.go
index 657443ece0..d1fb8c143c 100644
--- a/util/httputil/cors_test.go
+++ b/util/httputil/cors_test.go
@@ -48,8 +48,10 @@ func TestCORSHandler(t *testing.T) {
 	resp, err := client.Do(req)
 	require.NoError(t, err, "client get failed with unexpected error")
 
-	AccessControlAllowOrigin := resp.Header.Get("Access-Control-Allow-Origin")
+	Vary := resp.Header.Get("Vary")
+	require.Equal(t, "Origin", Vary, `expected "Vary: Origin" header`)
 
+	AccessControlAllowOrigin := resp.Header.Get("Access-Control-Allow-Origin")
 	require.Equal(t, dummyOrigin, AccessControlAllowOrigin, "expected Access-Control-Allow-Origin header")
 
 	// OPTIONS with bad origin
@@ -62,4 +64,20 @@ func TestCORSHandler(t *testing.T) {
 
 	AccessControlAllowOrigin = resp.Header.Get("Access-Control-Allow-Origin")
 	require.Empty(t, AccessControlAllowOrigin, "Access-Control-Allow-Origin header should not exist but it was set")
+
+	Vary = resp.Header.Get("Vary")
+	require.Equal(t, "Origin", Vary, `expected "Vary: Origin" header`)
+
+	// OPTIONS with no origin
+	req, err = http.NewRequest(http.MethodOptions, server.URL+"/any_path", nil)
+	require.NoError(t, err, "could not create request")
+
+	resp, err = client.Do(req)
+	require.NoError(t, err, "client get failed with unexpected error")
+
+	Vary = resp.Header.Get("Vary")
+	require.Equal(t, "Origin", Vary, `expected "Vary: Origin" header`)
+
+	AccessControlAllowOrigin = resp.Header.Get("Access-Control-Allow-Origin")
+	require.Empty(t, AccessControlAllowOrigin, "Access-Control-Allow-Origin header should not exist but it was set")
 }