in apisix/plugins/cors.lua [340:400]
function _M.header_filter(conf, ctx)
local req_origin = ctx.original_request_origin
local allow_origins
local allow_origins_local = false
if conf.allow_origins_by_metadata then
allow_origins = process_with_allow_origins_by_metadata(
TYPE_ACCESS_CONTROL_ALLOW_ORIGIN, conf.allow_origins_by_metadata, ctx, req_origin
)
if not match_origins(req_origin, allow_origins) then
if conf.allow_origins and conf.allow_origins ~= "*" then
allow_origins_local = true
end
end
else
allow_origins_local = true
end
if conf.allow_origins_by_regex == nil then
if allow_origins_local then
allow_origins = process_with_allow_origins(
TYPE_ACCESS_CONTROL_ALLOW_ORIGIN, conf.allow_origins, ctx, req_origin
)
end
else
if allow_origins_local then
allow_origins = process_with_allow_origins_by_regex(
TYPE_ACCESS_CONTROL_ALLOW_ORIGIN, conf.allow_origins_by_regex,
conf, ctx, req_origin
)
end
end
if not match_origins(req_origin, allow_origins) then
allow_origins = process_with_allow_origins_by_metadata(
TYPE_ACCESS_CONTROL_ALLOW_ORIGIN, conf.allow_origins_by_metadata, ctx, req_origin
)
end
if conf.allow_origins ~= "*" then
core.response.add_header("Vary", "Origin")
end
if allow_origins then
ctx.cors_allow_origins = allow_origins
set_cors_headers(conf, ctx)
end
local timing_allow_origins
if conf.timing_allow_origins_by_regex == nil and conf.timing_allow_origins then
timing_allow_origins = process_with_allow_origins(
TYPE_TIMING_ALLOW_ORIGIN, conf.timing_allow_origins, ctx, req_origin
)
elseif conf.timing_allow_origins_by_regex then
timing_allow_origins = process_with_allow_origins_by_regex(
TYPE_TIMING_ALLOW_ORIGIN, conf.timing_allow_origins_by_regex,
conf, ctx, req_origin
)
end
if timing_allow_origins and match_origins(req_origin, timing_allow_origins) then
ctx.timing_allow_origin = timing_allow_origins
set_timing_headers(conf, ctx)
end
end