Set CorsResult.VaryByOrigin if CorsPolicy has non-default IsOriginAllowed function (#25265)

Fixes #21988.

Author: stephan-tolksdorf

src/Middleware/CORS/src/Infrastructure/CorsPolicy.cs

@@ -13,14 +13,15 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
     /// </summary>
     public class CorsPolicy
     {
+        private Func<string, bool> _isOriginAllowed;
         private TimeSpan? _preflightMaxAge;
 
         /// <summary>
         /// Default constructor for a CorsPolicy.
         /// </summary>
         public CorsPolicy()
         {
-            IsOriginAllowed = DefaultIsOriginAllowed;
+            _isOriginAllowed = DefaultIsOriginAllowed;
         }
 
         /// <summary>
@@ -71,10 +72,26 @@ public bool AllowAnyOrigin
             }
         }
 
+        /// <summary>
+        /// Gets a value indicating if <see cref="IsOriginAllowed"/> is the default function that is set in the CorsPolicy constructor.
+        /// </summary>
+        internal bool IsDefaultIsOriginAllowed { get; private set; } = true;
+
         /// <summary>
         /// Gets or sets a function which evaluates whether an origin is allowed.
         /// </summary>
-        public Func<string, bool> IsOriginAllowed { get; set; }
+        public Func<string, bool> IsOriginAllowed
+        {
+            get
+            {
+                return _isOriginAllowed;
+            }
+            set
+            {
+                _isOriginAllowed = value;
+                IsDefaultIsOriginAllowed = false;
+            }
+        }
 
         /// <summary>
         /// Gets the headers that the resource might use and can be exposed.

src/Middleware/CORS/src/Infrastructure/CorsService.cs

@@ -119,7 +119,7 @@ private static void PopulateResult(HttpContext context, CorsPolicy policy, CorsR
             {
                 var origin = headers[CorsConstants.Origin];
                 result.AllowedOrigin = origin;
-                result.VaryByOrigin = policy.Origins.Count > 1;
+                result.VaryByOrigin = policy.Origins.Count > 1 || !policy.IsDefaultIsOriginAllowed;
             }
 
             result.SupportsCredentials = policy.SupportsCredentials;

src/Middleware/CORS/test/UnitTests/CorsPolicyTests.cs

@@ -25,6 +25,20 @@ public void Default_Constructor()
             Assert.Empty(corsPolicy.Origins);
             Assert.Null(corsPolicy.PreflightMaxAge);
             Assert.NotNull(corsPolicy.IsOriginAllowed);
+            Assert.True(corsPolicy.IsDefaultIsOriginAllowed);
+        }
+
+        [Fact]
+        public void IsDefaultIsOriginAllowed_IsFalseAfterSettingIsOriginAllowed()
+        {
+            // Arrange
+            var policy = new CorsPolicy();
+
+            // Act
+            policy.IsOriginAllowed = origin => true;
+
+            // Assert
+            Assert.False(policy.IsDefaultIsOriginAllowed);
         }
 
         [Fact]
@@ -71,4 +85,4 @@ public void ToString_ReturnsThePropertyValues()
                 policyString);
         }
     }
-}
+}

src/Middleware/CORS/test/UnitTests/CorsServiceTests.cs

@@ -223,6 +223,23 @@ public void EvaluatePolicy_AllowMultipleOrigins_VariesByOrigin()
             Assert.True(result.VaryByOrigin);
         }
 
+        [Fact]
+        public void EvaluatePolicy_SetIsOriginAllowed_VariesByOrigin()
+        {
+            // Arrange
+            var corsService = GetCorsService();
+            var requestContext = GetHttpContext(origin: "http://example.com");
+            var policy = new CorsPolicy();
+            policy.IsOriginAllowed = origin => true;
+
+            // Act
+            var result = corsService.EvaluatePolicy(requestContext, policy);
+
+            // Assert
+            Assert.Equal("http://example.com", result.AllowedOrigin);
+            Assert.True(result.VaryByOrigin);
+        }
+
         [Fact]
         public void EvaluatePolicy_NoExposedHeaders_NoAllowExposedHeaders()
         {