From 729969632a6f80d01b5eb4e0593e4461ea1ddfba Mon Sep 17 00:00:00 2001
From: michalsn <michal@sniatala.pl>
Date: Mon, 27 Jan 2025 08:52:13 +0100
Subject: [PATCH] fix append vary header

---
 system/Filters/Cors.php | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/system/Filters/Cors.php b/system/Filters/Cors.php
index cb0e09c138ea..3ed2d7d1c66e 100644
--- a/system/Filters/Cors.php
+++ b/system/Filters/Cors.php
@@ -61,16 +61,24 @@ public function before(RequestInterface $request, $arguments = null)
         /** @var ResponseInterface $response */
         $response = service('response');
 
-        if ($request->is('OPTIONS')) {
+        if ($this->cors->isPreflightRequest($request)) {
+            $response = $this->cors->handlePreflightRequest($request, $response);
+
             // Always adds `Vary: Access-Control-Request-Method` header for cacheability.
             // If there is an intermediate cache server such as a CDN, if a plain
             // OPTIONS request is sent, it may be cached. But valid preflight requests
             // have this header, so it will be cached separately.
             $response->appendHeader('Vary', 'Access-Control-Request-Method');
+
+            return $response;
         }
 
-        if ($this->cors->isPreflightRequest($request)) {
-            return $this->cors->handlePreflightRequest($request, $response);
+        if ($request->is('OPTIONS')) {
+            // Always adds `Vary: Access-Control-Request-Method` header for cacheability.
+            // If there is an intermediate cache server such as a CDN, if a plain
+            // OPTIONS request is sent, it may be cached. But valid preflight requests
+            // have this header, so it will be cached separately.
+            $response->appendHeader('Vary', 'Access-Control-Request-Method');
         }
 
         $this->cors->addResponseHeaders($request, $response);