REST API: Allow for multiple Vary: Origin headers in GET responses.

Simple fix, we pass `false` as the second parameter to the header function.

This is something that we added downstream of the 5.2.4 release, but we missed in 5.2/trunk.

Fixes #48309.
Props xknown, whyisjake.


git-svn-id: https://develop.svn.wordpress.org/trunk@46544 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-includes/rest-api.php

@@ -588,9 +588,9 @@ function rest_send_cors_headers( $value ) {
 		header( 'Access-Control-Allow-Origin: ' . $origin );
 		header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
 		header( 'Access-Control-Allow-Credentials: true' );
-		header( 'Vary: Origin' );
+		header( 'Vary: Origin', false );
 	} elseif ( ! headers_sent() && 'GET' === $_SERVER['REQUEST_METHOD'] && ! is_user_logged_in() ) {
-		header( 'Vary: Origin' );
+		header( 'Vary: Origin', false );
 	}
 
 	return $value;