Always set Vary: Origin

[wimleers]

Quoting fruitcake/laravel-cors#20:

In this case I tend to agree with your story and we should probably always add the Vary header.
— @asm89

If stack-cors is changed to set the Vary header even on requests without an Origin, then this laravel-cors will need to be changed to always load the middleware
— @drbild

Yes I know, if this has been changed, and #11 or similar has merged + tagged, ping me back and I'll change that.
— @barryvdh

… but actually #11 did not change this. It is still not adding the Vary: Origin header always.

Over at fruitcake/laravel-cors#20 (comment), the maintainer of this repo (@asm89) agreed that that would be sensible to do.

@asm89, would you be still open to doing that?

[typhonius]

Adding a note here that we're bumping into this with sites that use this library and have different requests from different origins being stored in Varnish cache. In line with what @wimleers is observing, when the request comes from the same origin, the response doesn't include a Vary header that then causes CORS blockages for future requests that receive the cached response.

By always adding Vary: Origin, we'll cache different responses for each origin and the issue should be resolved.

[asm89]

Sounds fair.

@wimleers Could you work on a pull request? Since this library has been stable for a long time, perhaps we should put the "always reply with Vary: Origin" behavior behind a new configuration option.

[mrbaileys]

Created a pull request that added an additional option 'alwaysSetVaryOrigin'. If not set (default), current behavior remains unchaged. When the flag is set, this library will add a Vary: Origin header to all responses.

[davidbarratt]

Can you all try out #68 and see if it resolves your problem? I think it should fix the cacheability without adding new configuration.

[barryvdh]

I think this should all be fixed now.