From 1474af4845ac35d6fb86a7a236ac4793c8f58f7d Mon Sep 17 00:00:00 2001
From: Ruslan Talpa <ruslan.talpa@databricks.com>
Date: Thu, 31 Jul 2025 16:34:53 +0300
Subject: [PATCH] add vary: origin header when needed

---
 proxy/src/serverless/rest.rs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/proxy/src/serverless/rest.rs b/proxy/src/serverless/rest.rs
index 9f98e87272..1ce038e210 100644
--- a/proxy/src/serverless/rest.rs
+++ b/proxy/src/serverless/rest.rs
@@ -8,7 +8,7 @@ use http::Method;
 use http::header::{
     ACCESS_CONTROL_ALLOW_HEADERS, ACCESS_CONTROL_ALLOW_METHODS, ACCESS_CONTROL_ALLOW_ORIGIN,
     ACCESS_CONTROL_EXPOSE_HEADERS, ACCESS_CONTROL_MAX_AGE, ACCESS_CONTROL_REQUEST_HEADERS, ALLOW,
-    AUTHORIZATION, CONTENT_TYPE, HOST, ORIGIN,
+    AUTHORIZATION, CONTENT_TYPE, HOST, ORIGIN, VARY,
 };
 use http_body_util::combinators::BoxBody;
 use http_body_util::{BodyExt, Empty, Full};
@@ -81,6 +81,7 @@ const ACCESS_CONTROL_EXPOSE_HEADERS_VALUE: HeaderValue = HeaderValue::from_stati
     "Content-Encoding, Content-Location, Content-Range, Content-Type, Date, Location, Server, Transfer-Encoding, Range-Unit",
 );
 const ACCESS_CONTROL_ALLOW_HEADERS_VALUE: HeaderValue = HeaderValue::from_static("Authorization");
+const ACCESS_CONTROL_VARY_VALUE: HeaderValue = HeaderValue::from_static("Origin");
 
 // A wrapper around the DbSchema that allows for self-referencing
 #[self_referencing]
@@ -763,6 +764,9 @@ fn apply_common_cors_headers(
         );
         if let Some(origin) = response_allow_origin {
             h.insert(ACCESS_CONTROL_ALLOW_ORIGIN, origin);
+            if origin != HEADER_VALUE_ALLOW_ALL_ORIGINS {
+                h.insert(VARY, ACCESS_CONTROL_VARY_VALUE);
+            }
         }
     }
 }