S3: Add Vary header for non-wildcard AllowOrigin (#7547)

weed/s3api/cors/cors.go

@@ -361,6 +361,10 @@ func ApplyHeaders(w http.ResponseWriter, corsResp *CORSResponse) {
 
 	if corsResp.AllowOrigin != "" {
 		w.Header().Set("Access-Control-Allow-Origin", corsResp.AllowOrigin)
+
+		if corsResp.AllowOrigin != "*" {
+			w.Header().Add("Vary", "Origin")
+		}
 	}
 
 	if corsResp.AllowMethods != "" {

weed/s3api/cors/cors_test.go

@@ -480,6 +480,7 @@ func TestApplyHeaders(t *testing.T) {
 				"Access-Control-Allow-Headers":  "Content-Type",
 				"Access-Control-Expose-Headers": "ETag",
 				"Access-Control-Max-Age":        "3600",
+				"Vary":        					 "Origin",
 			},
 		},
 		{
@@ -493,6 +494,7 @@ func TestApplyHeaders(t *testing.T) {
 				"Access-Control-Allow-Origin":      "http://example.com",
 				"Access-Control-Allow-Methods":     "GET",
 				"Access-Control-Allow-Credentials": "true",
+				"Vary":        					    "Origin",
 			},
 		},
 	}