From 167398308da2db167fc139dd95a36c0b5ac7b2a2 Mon Sep 17 00:00:00 2001
From: Josh Wilson <josh.wilson@fivestars.com>
Date: Thu, 17 Dec 2020 14:34:22 -0800
Subject: [PATCH] Add test to ensure that the vary header does not contain
 origin if request is non-credentialed

---
 tests/middleware/test_cors.py | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/tests/middleware/test_cors.py b/tests/middleware/test_cors.py
index 1082c3288..121902b0a 100644
--- a/tests/middleware/test_cors.py
+++ b/tests/middleware/test_cors.py
@@ -245,6 +245,24 @@ def homepage(request):
     assert response.headers["vary"] == "Origin"
 
 
+def test_cors_vary_header_is_not_set_for_non_credentialed_request():
+    app = Starlette()
+
+    app.add_middleware(CORSMiddleware, allow_origins=["*"])
+
+    @app.route("/")
+    def homepage(request):
+        return PlainTextResponse(
+            "Homepage", status_code=200, headers={"Vary": "Accept-Encoding"}
+        )
+
+    client = TestClient(app)
+
+    response = client.get("/", headers={"Origin": "https://someplace.org"})
+    assert response.status_code == 200
+    assert response.headers["vary"] == "Accept-Encoding"
+
+
 def test_cors_vary_header_is_properly_set_for_credentialed_request():
     app = Starlette()