Handle OPTIONS cacheable

src/Cors.php

@@ -45,8 +45,16 @@ public function __construct(HttpKernelInterface $app, array $options = array())
 
  public function handle(Request $request, $type = HttpKernelInterface::MASTER_REQUEST, $catch = true)
  {
- if ($this->cors->isPreflightRequest($request)) {
- return $this->cors->handlePreflightRequest($request);
+ if ($request->getMethod() === 'OPTIONS') {
+ if ($this->cors->isPreflightRequest($request)) {
+ $response = $this->cors->handlePreflightRequest($request);
+ } else {
+ $response = $this->app->handle($request, $type, $catch);
+ }
+
+ $this->cors->varyHeader($response, 'Access-Control-Request-Method');
+
+ return $response;
  }
 
  $response = $this->app->handle($request, $type, $catch);

src/CorsService.php

@@ -69,9 +69,7 @@ public function isCorsRequest(Request $request)
 
  public function isPreflightRequest(Request $request)
  {
- return $this->isCorsRequest($request)
- && $request->getMethod() === 'OPTIONS'
- && $request->headers->has('Access-Control-Request-Method');
+ return $request->getMethod() === 'OPTIONS' && $request->headers->has('Access-Control-Request-Method');
  }
 
  public function handlePreflightRequest(Request $request)
@@ -213,11 +211,11 @@ private function configureMaxAge(Response $response, Request $request)
  }
  }
 
- private function varyHeader(Response $response, $header)
+ public function varyHeader(Response $response, $header)
  {
  if (!$response->headers->has('Vary')) {
  $response->headers->set('Vary', $header);
- } else {
+ } elseif (!in_array($header, explode(', ', $response->headers->get('Vary')))) {
  $response->headers->set('Vary', $response->headers->get('Vary') . ', ' . $header);
  }
  }

tests/CorsTest.php

@@ -105,7 +105,7 @@ public function it_returns_allow_headers_header_on_allow_all_headers_request_cre
 
  $this->assertEquals(204, $response->getStatusCode());
  $this->assertEquals('Foo, BAR', $response->headers->get('Access-Control-Allow-Headers'));
- $this->assertEquals('Access-Control-Request-Headers', $response->headers->get('Vary'));
+ $this->assertStringContainsString('Access-Control-Request-Headers', $response->headers->get('Vary'));
  }
 
  /**
@@ -304,6 +304,20 @@ public function it_returns_access_control_headers_on_cors_request_with_pattern_o
  $this->assertEquals('Origin', $response->headers->get('Vary'));
  }
 
+ /**
+ * @test
+ */
+ public function it_adds_vary_headers_on_preflight_non_preflight_options()
+ {
+ $app = $this->createStackedApp();
+ $request = new Request();
+ $request->setMethod('OPTIONS');
+
+ $response = $app->handle($request);
+
+ $this->assertEquals('Access-Control-Request-Method', $response->headers->get('Vary'));
+ }
+
  /**
  * @test
  */
@@ -316,6 +330,7 @@ public function it_returns_access_control_headers_on_valid_preflight_request()
 
  $this->assertTrue($response->headers->has('Access-Control-Allow-Origin'));
  $this->assertEquals('http://localhost', $response->headers->get('Access-Control-Allow-Origin'));
+ $this->assertEquals('Access-Control-Request-Method', $response->headers->get('Vary'));
  }
 
  /**