From 3b2c6568a5e1151b5db653cebc19c37be055a826 Mon Sep 17 00:00:00 2001
From: Jake Spurlock <whyisjake@git.wordpress.org>
Date: Tue, 15 Oct 2019 15:45:39 +0000
Subject: [PATCH] REST API: Allow for multiple Vary: Origin headers in GET
 responses.

Simple fix, we pass `false` as the second parameter to the header function.

This is something that we added downstream of the 5.2.4 release, but we missed in 5.2/trunk.

Fixes #48309.
Props xknown, whyisjake.


git-svn-id: https://develop.svn.wordpress.org/trunk@46544 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/rest-api.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/wp-includes/rest-api.php b/src/wp-includes/rest-api.php
index 653abc0c8d..417b8ddada 100644
--- a/src/wp-includes/rest-api.php
+++ b/src/wp-includes/rest-api.php
@@ -588,9 +588,9 @@ function rest_send_cors_headers( $value ) {
 		header( 'Access-Control-Allow-Origin: ' . $origin );
 		header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
 		header( 'Access-Control-Allow-Credentials: true' );
-		header( 'Vary: Origin' );
+		header( 'Vary: Origin', false );
 	} elseif ( ! headers_sent() && 'GET' === $_SERVER['REQUEST_METHOD'] && ! is_user_logged_in() ) {
-		header( 'Vary: Origin' );
+		header( 'Vary: Origin', false );
 	}
 
 	return $value;