Fix: Always set Vary: Origin header according to CORS spec to avoid caching issues

lib/index.js

@@ -1,5 +1,4 @@
 (function () {
-
   'use strict';
 
   var assign = require('object-assign');
@@ -9,7 +8,7 @@
     origin: '*',
     methods: 'GET,HEAD,PUT,PATCH,POST,DELETE',
     preflightContinue: false,
-    optionsSuccessStatus: 204
+    optionsSuccessStatus: 204,
   };
 
   function isString(s) {
@@ -34,39 +33,29 @@
   }
 
   function configureOrigin(options, req) {
-    var requestOrigin = req.headers.origin,
-      headers = [],
-      isAllowed;
+    var requestOrigin = req.headers.origin;
+    var headers = [];
+    var isAllowed;
 
     if (!options.origin || options.origin === '*') {
-      // allow any origin
-      headers.push([{
-        key: 'Access-Control-Allow-Origin',
-        value: '*'
-      }]);
+      headers.push([{ key: 'Access-Control-Allow-Origin', value: '*' }]);
     } else if (isString(options.origin)) {
-      // fixed origin
-      headers.push([{
-        key: 'Access-Control-Allow-Origin',
-        value: options.origin
-      }]);
-      headers.push([{
-        key: 'Vary',
-        value: 'Origin'
-      }]);
+      headers.push([
+        { key: 'Access-Control-Allow-Origin', value: options.origin },
+      ]);
     } else {
       isAllowed = isOriginAllowed(requestOrigin, options.origin);
-      // reflect origin
-      headers.push([{
-        key: 'Access-Control-Allow-Origin',
-        value: isAllowed ? requestOrigin : false
-      }]);
-      headers.push([{
-        key: 'Vary',
-        value: 'Origin'
-      }]);
+      headers.push([
+        {
+          key: 'Access-Control-Allow-Origin',
+          value: isAllowed ? requestOrigin : false,
+        },
+      ]);
     }
 
+    // **Ensure `Vary: Origin` is always set**
+    headers.push([{ key: 'Vary', value: 'Origin' }]);
+
     return headers;
   }
 
@@ -77,15 +66,15 @@
     }
     return {
       key: 'Access-Control-Allow-Methods',
-      value: methods
+      value: methods,
     };
   }
 
   function configureCredentials(options) {
     if (options.credentials === true) {
       return {
         key: 'Access-Control-Allow-Credentials',
-        value: 'true'
+        value: 'true',
       };
     }
     return null;
@@ -97,18 +86,22 @@
 
     if (!allowedHeaders) {
       allowedHeaders = req.headers['access-control-request-headers']; // .headers wasn't specified, so reflect the request headers
-      headers.push([{
-        key: 'Vary',
-        value: 'Access-Control-Request-Headers'
-      }]);
+      headers.push([
+        {
+          key: 'Vary',
+          value: 'Access-Control-Request-Headers',
+        },
+      ]);
     } else if (allowedHeaders.join) {
       allowedHeaders = allowedHeaders.join(','); // .headers is an array, so turn it into a string
     }
     if (allowedHeaders && allowedHeaders.length) {
-      headers.push([{
-        key: 'Access-Control-Allow-Headers',
-        value: allowedHeaders
-      }]);
+      headers.push([
+        {
+          key: 'Access-Control-Allow-Headers',
+          value: allowedHeaders,
+        },
+      ]);
     }
 
     return headers;
@@ -124,18 +117,20 @@
     if (headers && headers.length) {
       return {
         key: 'Access-Control-Expose-Headers',
-        value: headers
+        value: headers,
       };
     }
     return null;
   }
 
   function configureMaxAge(options) {
-    var maxAge = (typeof options.maxAge === 'number' || options.maxAge) && options.maxAge.toString()
+    var maxAge =
+      (typeof options.maxAge === 'number' || options.maxAge) &&
+      options.maxAge.toString();
     if (maxAge && maxAge.length) {
       return {
         key: 'Access-Control-Max-Age',
-        value: maxAge
+        value: maxAge,
       };
     }
     return null;
@@ -163,11 +158,11 @@
     if (method === 'OPTIONS') {
       // preflight
       headers.push(configureOrigin(options, req));
-      headers.push(configureCredentials(options))
-      headers.push(configureMethods(options))
+      headers.push(configureCredentials(options));
+      headers.push(configureMethods(options));
       headers.push(configureAllowedHeaders(options, req));
-      headers.push(configureMaxAge(options))
-      headers.push(configureExposedHeaders(options))
+      headers.push(configureMaxAge(options));
+      headers.push(configureExposedHeaders(options));
       applyHeaders(headers, res);
 
       if (options.preflightContinue) {
@@ -182,8 +177,8 @@
     } else {
       // actual response
       headers.push(configureOrigin(options, req));
-      headers.push(configureCredentials(options))
-      headers.push(configureExposedHeaders(options))
+      headers.push(configureCredentials(options));
+      headers.push(configureExposedHeaders(options));
       applyHeaders(headers, res);
       next();
     }
@@ -234,5 +229,4 @@
 
   // can pass either an options hash, an options delegate, or nothing
   module.exports = middlewareWrapper;
-
-}());
+})();