batman-ezio commented on a change in pull request #3839: URL: https://github.com/apache/apisix/pull/3839#discussion_r597353916
########## File path: apisix/plugins/cors.lua ########## @@ -133,7 +157,7 @@ local function set_cors_headers(conf, ctx) end core.response.set_header("Access-Control-Allow-Origin", ctx.cors_allow_origins) - if ctx.cors_allow_origins ~= "*" then + if ctx.cors_allow_origins ~= "*" or conf.allow_origins_by_regex ~= nil then Review comment: if allow_origins_by_regex is matched, the cors_allow_origins will be the matched domain. not `*` for example. it we use `[".*.test.com"]` and the request is from a.test.com then the cors_allow_origins will set to `a.test.com`. not `*` `conf.allow_origins_by_regex ~= nil` means we use regex to match many domains. the Vary must set as `Origin ` f a request may contain a Access-Control-Allow-Origin with different values, then the CDN should always respond with Vary: Origin, check https://stackoverflow.com/questions/25329405/why-isnt-vary-origin-response-set-on-a-cors-miss -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org