From 83ce09e5b6ebb56d18d030255ff486a3f7bda03e Mon Sep 17 00:00:00 2001
From: Eran Hammer <eran@hueniverse.com>
Date: Tue, 19 Nov 2013 22:51:20 -0800
Subject: [PATCH] Cors origin handler missing vary. Closes #1163

---
 lib/response/headers.js      | 13 ++++++++-----
 test/integration/response.js |  1 +
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/lib/response/headers.js b/lib/response/headers.js
index 1118b2973..bb68daee6 100755
--- a/lib/response/headers.js
+++ b/lib/response/headers.js
@@ -58,12 +58,15 @@ exports.cors = function (response, request) {
         if (cors._origin.any) {
             response.header('access-control-allow-origin', '*');
         }
-        else if (internals.matchOrigin(request.headers.origin, cors)) {
+        else {
             response.header('vary', 'origin', true);
-            response.header('access-control-allow-origin', request.headers.origin);
-        }
-        else if (cors._origin.qualifiedString && cors.isOriginExposed) {
-            response.header('access-control-allow-origin', cors._origin.qualifiedString);
+
+            if (internals.matchOrigin(request.headers.origin, cors)) {
+                response.header('access-control-allow-origin', request.headers.origin);
+            }
+            else if (cors._origin.qualifiedString && cors.isOriginExposed) {
+                response.header('access-control-allow-origin', cors._origin.qualifiedString);
+            }
         }
     }
 
diff --git a/test/integration/response.js b/test/integration/response.js
index a90994056..24163477d 100755
--- a/test/integration/response.js
+++ b/test/integration/response.js
@@ -102,6 +102,7 @@ describe('Response', function () {
                 expect(res.result).to.exist;
                 expect(res.result).to.equal('ok');
                 expect(res.headers['access-control-allow-origin']).to.not.exist;
+                expect(res.headers.vary).to.equal('origin');
                 done();
             });
         });