It looks like the CORSRequestHandler does not handle HTTP caches/CDNs well.
An example I found is this handling inside the handleActualRequest method:
From W3 spec http://www.w3.org/TR/cors/#resource-implementation:
"Resources that wish to enable themselves to be shared with multiple Origins but do not respond uniformly with "*" must in practice generate the Access-Control-Allow-Origin header dynamically in response to every request they wish to allow. As a consequence, authors of such resources should send a Vary: Origin HTTP header or provide other appropriate control directives to prevent caching of such responses, which may be inaccurate if re-used across-origins."
My preference is to set the Access-Control-Allow-Origin header to the value of the configuration rather than the incoming Origin header, therefore reducing cache size in the instances where multiple origins may be used.