Don't set Vary when forgery protection is skipped

When request forgery protection is skipped, we should not add
"Sec-Fetch-Site" to the Vary header.

See: f5a1915

Author: djmb

actionpack/lib/action_controller/metal/request_forgery_protection.rb

@@ -285,10 +285,13 @@ def protect_from_forgery(options = {})
       # Turn off request forgery protection. This is a wrapper for:
       #
       #     skip_before_action :verify_request_for_forgery_protection
+      #     skip_after_action :append_sec_fetch_site_to_vary_header
       #
       # See `skip_before_action` for allowed options.
       def skip_forgery_protection(options = {})
-        skip_before_action :verify_request_for_forgery_protection, options.reverse_merge(raise: false)
+        options = options.reverse_merge(raise: false)
+        skip_before_action :verify_request_for_forgery_protection, options
+        skip_after_action :append_sec_fetch_site_to_vary_header, options
       end
 
       private

actionpack/test/controller/request_forgery_protection_test.rb

@@ -199,6 +199,15 @@ class SkipProtectionWhenUnprotectedController < ActionController::Base
   skip_forgery_protection
 end
 
+class ProtectedParentController < ActionController::Base
+  protect_from_forgery with: :exception
+end
+
+class SkipsInheritedProtectionController < ProtectedParentController
+  include RequestForgeryProtectionActions
+  skip_forgery_protection
+end
+
 # Controller using the deprecated skip_before_action :verify_authenticity_token
 class DeprecatedSkipVerifyAuthenticityTokenController < ActionController::Base
   include RequestForgeryProtectionActions
@@ -1289,6 +1298,40 @@ def assert_not_blocked(&block)
     assert_nothing_raised(&block)
     assert_response :success
   end
+
+  test "does not add Sec-Fetch-Site to Vary header when forgery protection is skipped" do
+    get :index
+    assert_response :success
+    assert_nil response.headers["Vary"]
+  end
+
+  test "response does not vary by Sec-Fetch-Site when forgery protection is skipped" do
+    @request.set_header "HTTP_SEC_FETCH_SITE", "same-origin"
+    post :index
+    assert_response :success
+
+    @request.set_header "HTTP_SEC_FETCH_SITE", "cross-site"
+    post :index
+    assert_response :success
+  end
+end
+
+class SkipsInheritedProtectionControllerTest < ActionController::TestCase
+  test "does not add Sec-Fetch-Site to Vary header when inherited forgery protection is skipped" do
+    get :index
+    assert_response :success
+    assert_nil response.headers["Vary"]
+  end
+
+  test "response does not vary by Sec-Fetch-Site when inherited forgery protection is skipped" do
+    @request.set_header "HTTP_SEC_FETCH_SITE", "same-origin"
+    post :index
+    assert_response :success
+
+    @request.set_header "HTTP_SEC_FETCH_SITE", "cross-site"
+    post :index
+    assert_response :success
+  end
 end
 
 class DeprecatedSkipVerifyAuthenticityTokenControllerTest < ActionController::TestCase