Make sure the preflight responses vary per Origin

[Toflar]

Hey Jordi 😄

Just had an issue where my browser cache went crazy because the response of my API was still in the cache even though I developed locally. This is due to the missing Vary header on the Origin header.

More on that: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#CORS_and_caching

[Seldaek]

Thanks

[Oliboy50]

I'm late here, but isn't it a fix which can also replace the need for forced_allow_origin_value configuration parameter?

if the cache now changes, depending on the Origin header, then I think I don't need the forced_allow_origin_value anymore 🤷‍♂

[Oliboy50]

this was something i've noted in this PR: https://github.com/nelmio/NelmioCorsBundle/pull/72

Note: As @Seldaek said, we could also set a Vary: Origin header to workaround the cache issues instead of merging this PR (if the cache system supports it).

anyway, I'll try to remove it in one of our project in production to see if it's still useful for us, if it's not, maybe we could consider removing this extra parameter from this bundle (or at least starting to deprecate it for a while and see if people open some issues about it before effectively removing it)