Problem/Motivation
If you use ajax requests from the same origin, CORS support is omitted (for obvious reasons) and no `Origin` key is added to the `Vary` header and naturally the Access-Control-Allow-Origin header is not emitted. However, the request does cache and if a request from another origin is made, it receives the cached item without the CORS data.
Proposed resolution
Technically, every route in Drupal is a CORS route since CORS will activate if an Origin header is passed in the request. So shouldn't the Origin key be added to the Vary response for every Drupal request? That way, upstream caches will variate their cache and miss if the origin header is present or different?