Merge pull request #3346 from RichardBradley/vary-origin

Include Vary:Origin on all responses from CrossOriginFilter

jetty-servlets/src/main/java/org/eclipse/jetty/servlets/CrossOriginFilter.java

@@ -400,8 +400,7 @@ public class CrossOriginFilter implements Filter
     {
         response.setHeader(ACCESS_CONTROL_ALLOW_ORIGIN_HEADER, origin);
         //W3C CORS spec http://www.w3.org/TR/cors/#resource-implementation
-        if (!anyOriginAllowed)
-            response.addHeader("Vary", ORIGIN_HEADER);
+        response.addHeader("Vary", ORIGIN_HEADER);
         if (allowCredentials)
             response.setHeader(ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER, "true");
         if (!exposedHeaders.isEmpty())

jetty-servlets/src/test/java/org/eclipse/jetty/servlets/CrossOriginFilterTest.java

@@ -135,7 +135,7 @@ public class CrossOriginFilterTest
         Set<String> fieldNames = response.getFieldNamesCollection();
         assertThat(response.toString(), CrossOriginFilter.ACCESS_CONTROL_ALLOW_ORIGIN_HEADER, isIn(fieldNames));
         assertThat(response.toString(), CrossOriginFilter.ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER, isIn(fieldNames));
-        assertThat(response.toString(), "Vary", not(isIn(fieldNames)));
+        assertThat(response.toString(), "Vary", isIn(fieldNames));
         assertTrue(latch.await(1, TimeUnit.SECONDS));
     }