As explained in http://www.fastly.com/blog/best-practices-for-using-the-vary-header/ responses should ALWAYS include `Vary: Origin` if there's a chance for the response to differ depending on the Origin header in the request. This covers the case for when 2 requests for the same resource, one including the Origin header and the other not including it, should have different responses. If the Vary header doesn't mention Origin, then intermediary caches (like any CDN) will cache the response (including its headers) and will use it regardless of the request including the Origin header or not. This is to play nice with caches. Otherwise rack-cors can't be used with caches in certain situations.
…nfigured. Previously, the configuration `origin "file://"` would effectively only permit `Origin: null` requests. Fixes #53.
According to the latest CORS spec  preflight response should set Access-Control-Allow-Origin header to '*' only if resource doesn't support credentials (Section "5.2 Preflight request" , step 7). : http://www.w3.org/TR/2010/WD-cors-20100727/ : http://www.w3.org/TR/2010/WD-cors-20100727/#resource-preflight-requests