Add test to ensure that the vary header does not contain origin if re…

…quest is non-credentialed

tests/middleware/test_cors.py

@@ -245,6 +245,24 @@ def homepage(request):
     assert response.headers["vary"] == "Origin"
 
 
+def test_cors_vary_header_is_not_set_for_non_credentialed_request():
+    app = Starlette()
+
+    app.add_middleware(CORSMiddleware, allow_origins=["*"])
+
+    @app.route("/")
+    def homepage(request):
+        return PlainTextResponse(
+            "Homepage", status_code=200, headers={"Vary": "Accept-Encoding"}
+        )
+
+    client = TestClient(app)
+
+    response = client.get("/", headers={"Origin": "https://someplace.org"})
+    assert response.status_code == 200
+    assert response.headers["vary"] == "Accept-Encoding"
+
+
 def test_cors_vary_header_is_properly_set_for_credentialed_request():
     app = Starlette()