From 2a5c167b218693d7f6e2ab49f737a5eb226d5bbb Mon Sep 17 00:00:00 2001
From: Jake Spurlock <whyisjake@git.wordpress.org>
Date: Mon, 14 Oct 2019 15:41:05 +0000
Subject: [PATCH] REST API: Send a Vary: Origin header on GET requests.

Add this header on all GET requests to prevent cached requests.

Props darthhexx, davidbinda, nickdaugherty, whyisjake.


git-svn-id: https://develop.svn.wordpress.org/trunk@46478 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/rest-api.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/wp-includes/rest-api.php b/src/wp-includes/rest-api.php
index 3e6f419f6b..b998cf7cda 100644
--- a/src/wp-includes/rest-api.php
+++ b/src/wp-includes/rest-api.php
@@ -589,6 +589,8 @@ function rest_send_cors_headers( $value ) {
 		header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
 		header( 'Access-Control-Allow-Credentials: true' );
 		header( 'Vary: Origin' );
+	} else if ( 'GET' === $_SERVER['REQUEST_METHOD'] && ! is_user_logged_in() ) {
+		header( 'Vary: Origin' );
 	}
 
 	return $value;