Advise Vary even for non-CORS-request responses

fetch.bs

@@ -5679,6 +5679,11 @@ the user agent to <a for=/>fetch</a> a response that includes
 from the previous non-<a>CORS request</a> that lacks
 `<a http-header><code>Access-Control-Allow-Origin</code></a>`.
 
+<p>However, if `<a http-header><code>Access-Control-Allow-Origin</code></a>` is set to
+<code>*</code> or a static <a for=/>origin</a> for a particular resource, then configure the server
+to always send `<a http-header><code>Access-Control-Allow-Origin</code></a>` in responses for the
+resource — for non-<a lt="CORS request">CORS requests</a> as well as <a lt="CORS request">CORS
+requests</a> — and do not use `<code>Vary</code>`.
 
 <h2 id=acknowledgments class=no-num>Acknowledgments</h2>