Set Vary: Origin on CORS unauthorized response [SPR-16224]

[spring-projects-issues]

Adrian Cole opened SPR-16224 and commented

Maybe our Cors impl should be setting Vary when we deny, due to some
noted cache poison concerns.

Ex we don't set Vary: Origin on 403, but other impls do...

https://github.com/rs/cors/blob/master/cors_test.go#L118

---

Issue Links:

• Add Vary: Access-Control-Request-Method/Headers CORS headers [SPR-16413] #20959 Add Vary: Access-Control-Request-Method/Headers CORS headers

Referenced from: commits 4a87d3d