"Vary: Origin" header needed when when credentials are not allowed and the origin list is unbounded

This issue relates to https://bitbucket.org/thetransactioncompany/cors-filter/issue/16

If the "Vary: Origin" header is only added when credentials are allowed or the allowed origin list is bounded, then it will not be added when credentials are not allowed and the origin list is unbounded. This is problematic in the situation described by Chris above, where there is a CDN and some clients use CORS and some do not. It is possible that non-CORS responses will be cached and served to CORS clients because the original non-CORS response doesn't include the "Vary: Origin" header.