This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
It was pointed out to me that Access-Control-Allow-Methods and Access-Control-Allow-Headers might also benefit from Vary treatment to prevent intermediary caches from messing around.
Reported by Brock Allen (cc'd).
WG resolved to close without editorial action. http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-27-Aug-2013.html
This is now bug 23653.