CORS module excessively sets the `Vary` response header

[bardiharborow]

cors::CorsLayer sets the Vary response header to origin, access-control-request-method, access-control-request-headers (added in #199) regardless of the provided CORS configuration.

From MDN:

The HTTP Vary response header describes the parts of the request message (aside from the method and URL) that influenced the content of the response it occurs in. Including a Vary header ensures that responses are separately cached based on the headers listed in the Vary field.

cors::CorsLayer should only add a request header to the Vary response header if a dynamic response is calculated based on that request header. .permissive(), for example, does not dynamically adjust the response at all.

In general, dynamic behaviour appears to occur through various .mirror_request() methods. It can also occur when closures are passed, though there it isn't trivial to determine what request headers have been used to determine the response; that case may instead require a call-out in the documentation.

Workaround

use tower_http::cors::{CorsLayer, Vary};

CorsLayer::permissive().vary(Vary::list([]));

[jplatte]

I think we should only change it for situations where we actually know that the middleware is not going to return anything different for a different value of one of those headers. But in general I agree that we should not add all of these unconditionally. PRs welcome!