BZ61101: CORS filter should set Vary header in response. Submitted by Rick Riemer. This is the fix for CVE-2017-7674