fix(cors): add cookie to vary if credentials option is true

unjs · Oct 10, 2024 · 1825940 · 1825940
1 parent 92031aa
commit 1825940
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 4 deletions.
diff --git a/src/types/utils/cors.ts b/src/types/utils/cors.ts
@@ -39,6 +39,10 @@ export type H3AccessControlAllowOriginHeader =
   | {
       "access-control-allow-origin": "*";
     }
+  | {
+      "access-control-allow-origin": "*";
+      vary: "cookie, origin";
+    }
   | {
       "access-control-allow-origin": "null" | string;
       vary: "origin";

diff --git a/src/utils/internal/cors.ts b/src/utils/internal/cors.ts
@@ -79,8 +79,12 @@ export function createOriginHeaders(
   const { origin: originOption, credentials } = options;
   const origin = event.request.headers.get("origin");
 
-  if ((!originOption || originOption === "*") && !credentials) {
-    return { "access-control-allow-origin": "*" };
+  if (!originOption || originOption === "*") {
+    if (!credentials) {
+      return { "access-control-allow-origin": "*" };
+    }
+    // https://w3c.github.io/webappsec-cors-for-developers/#use-vary
+    return { "access-control-allow-origin": "*", vary: "cookie, origin" };
   }
 
   if (originOption === "null") {

diff --git a/test/unit/cors.test.ts b/test/unit/cors.test.ts
@@ -226,8 +226,8 @@ describe("cors (unit)", () => {
       };
 
       expect(createOriginHeaders(eventMock, options)).toEqual({
-        "access-control-allow-origin": "https://example.com",
-        vary: "origin",
+        "access-control-allow-origin": "*",
+        vary: "cookie, origin",
       });
     });