From a8ba8cc4448e3657ff273393e9f16e93c3d9505e Mon Sep 17 00:00:00 2001
From: Naz <hi@nazavo.com>
Date: Wed, 2 Nov 2022 16:20:15 +0800
Subject: [PATCH] Added Vary value for CORS in Frontend

refs https://github.com/TryGhost/Toolbox/issues/461

- Having a 'Origin' in vary header value present on each `OPTIONS` allows to correctly bucket "allowed CORS" and "disallowed CORS" responses in shared caches
---
 ghost/core/core/frontend/web/middleware/cors.js | 17 ++++++++++++++++-
 .../core/core/server/web/api/middleware/cors.js |  2 +-
 .../test/e2e-server/1-options-requests.test.js  |  4 ++--
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/ghost/core/core/frontend/web/middleware/cors.js b/ghost/core/core/frontend/web/middleware/cors.js
index c4c0bf9ad1..de49d7a565 100644
--- a/ghost/core/core/frontend/web/middleware/cors.js
+++ b/ghost/core/core/frontend/web/middleware/cors.js
@@ -54,4 +54,19 @@ function corsOptionsDelegate(req, callback) {
     callback(null, corsOptions);
 }
 
-module.exports = cors(corsOptionsDelegate);
+/**
+ *
+ * @param {Express.Request} req
+ * @param {Express.Response} res
+ * @param {Function} next
+ */
+const handleCaching = (req, res, next) => {
+    // @NOTE: try to add native support for dynamic 'vary' header value in 'cors' module
+    res.vary('Origin');
+    next();
+};
+
+module.exports = [
+    cors(corsOptionsDelegate),
+    handleCaching
+];
diff --git a/ghost/core/core/server/web/api/middleware/cors.js b/ghost/core/core/server/web/api/middleware/cors.js
index ced7f78eee..01e5225d16 100644
--- a/ghost/core/core/server/web/api/middleware/cors.js
+++ b/ghost/core/core/server/web/api/middleware/cors.js
@@ -82,7 +82,7 @@ function corsOptionsDelegate(req, cb) {
 }
 
 /**
- * 
+ *
  * @param {Express.Request} req
  * @param {Express.Response} res
  * @param {Function} next
diff --git a/ghost/core/test/e2e-server/1-options-requests.test.js b/ghost/core/test/e2e-server/1-options-requests.test.js
index 9bd3e3b18c..8978b87045 100644
--- a/ghost/core/test/e2e-server/1-options-requests.test.js
+++ b/ghost/core/test/e2e-server/1-options-requests.test.js
@@ -108,7 +108,7 @@ describe('OPTIONS requests', function () {
                 .expect(200);
 
             assert.equal(res.headers['cache-control'], 'public, max-age=0');
-            assert.equal(res.headers.vary, 'Accept-Encoding');
+            assert.equal(res.headers.vary, 'Origin, Accept-Encoding');
             assert.equal(res.headers.allow, 'POST,GET,HEAD');
         });
 
@@ -119,7 +119,7 @@ describe('OPTIONS requests', function () {
                 .expect(200);
 
             assert.equal(res.headers['cache-control'], 'public, max-age=0');
-            assert.equal(res.headers.vary, 'Accept-Encoding');
+            assert.equal(res.headers.vary, 'Origin, Accept-Encoding');
             assert.equal(res.headers.allow, 'POST,GET,HEAD');
         });
     });