Problem/Motivation
When enabling CORS support in Drupal, cacheability is broken because this header is added to every request (of a different origin, but that is a different bug, see: #3001809: CORS breaks with cache proxies and same origin usage.):
Vary: Origin
This breaks cacheability because if a site allows numerous other origins to make requests to their site, they will get a cached version for each origin. Some CDNs will not cache the request at all if this is present as it results in too many cache objects.
Proposed resolution
This problem has been resolved upstream in asm89/stack-cors#64. The most recent release this has been included in is 2.0.0.
I would like to backport this release when it is in a stable upstream release.
Remaining tasks
Write Upgrade Patch
User interface changes
None
API changes
Requests that were not cached before may become cached.
Data model changes
None.
Release notes snippet
Enabling CORS preserves cacheability whenever possible.
Previously, enabling CORS would add Vary: Origin to all requests of a different origin. With this change, enabling CORS will only add this if absolutely necessary.