I think enough WP setups have some caching engine like Varnish installed that it'd be useful to have a 'Vary: Origin' header on any responses that have a Access-Control-Allow-Origin header.
Steps to replicate:
Send CURL request to WP API with a custom origin. See that the it returns with Access-Control-Allow-Origin: custom origin but does not have a Vary: Origin header so if you have a caching engine installed and send another request with a separate origin than the first, it will still return custom origin .
Forgot to add a link to the HAPI code as an example of a framework providing a Vary header by default in their CORS support: ​ https://github.com/hapijs/hapi/blob/master/lib/cors.js#L157
Edit #1
​ https://github.com/WP-API/WP-API/issues/2661 for original issue posted on WP-API repo.
vary: origin is a W3 CORS implementation recommendation( ​ https://www.w3.org/TR/cors/#resource-implementation ). It's used by default in frameworks such as hapi and Laravel-cors. Overall, it helps sites siting behind a cache such as varnish.
Fixes #38060 .
Props procodewp, pdufour for research.

Visit our X (formerly Twitter) account

Visit our Instagram account

Visit our LinkedIn account

Visit our YouTube channel