From 1201c3773f9aa3ccff0796750a0865eb8468b848 Mon Sep 17 00:00:00 2001
From: "CJACK." <155826701+CJackHwang@users.noreply.github.com>
Date: Sat, 9 May 2026 18:17:16 +0800
Subject: [PATCH] Align Vercel JS CORS Vary-Origin behavior with Go

---
 internal/js/chat-stream/cors.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/internal/js/chat-stream/cors.js b/internal/js/chat-stream/cors.js
index 1a4b36a..f796639 100644
--- a/internal/js/chat-stream/cors.js
+++ b/internal/js/chat-stream/cors.js
@@ -19,13 +19,15 @@ const BLOCKED_CORS_REQUEST_HEADERS = new Set([
 function setCorsHeaders(res, req) {
   const origin = asString(readHeader(req, 'origin'));
   res.setHeader('Access-Control-Allow-Origin', origin || '*');
+  if (origin) {
+    addVaryHeader(res, 'Origin');
+  }
   res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, PUT, DELETE');
   res.setHeader('Access-Control-Max-Age', '600');
   res.setHeader(
     'Access-Control-Allow-Headers',
     buildCORSAllowHeaders(req),
   );
-  addVaryHeader(res, 'Origin');
   addVaryHeader(res, 'Access-Control-Request-Headers');
   if (asString(readHeader(req, 'access-control-request-private-network')).toLowerCase() === 'true') {
     res.setHeader('Access-Control-Allow-Private-Network', 'true');