`Vary: Origin` should not be set if the `Origin` request header is ignored

The Vary HTTP response header is useful to ensure proper caching of CORS responses and prevent cache poisoning. However, it comes with a downside: (potentially significantly) increasing the cache size, since each client's origin will create a different cached value.

The standard mentions:

If Access-Control-Allow-Origin is set to * or a static origin for a particular resource, then configure the server to always send Access-Control-Allow-Origin in responses for the resource — for non-CORS requests as well as CORS requests — and do not use Vary.

In other words, if the CORS response is always the same regardless of the Origin request header, Vary: Origin should not be set. Currently, this module mostly gets it right except in two cases:

1. If the origin option is a function, regardless of the return value of that function (including '*'), Vary: Origin should be set, since that function might (and most likely did) use the Origin request header.

https://github.com/expressjs/cors/blob/53312a5bee605e2486fa734756abb3c0bc2f891d/lib/index.js#L209-L216

https://github.com/expressjs/cors/blob/53312a5bee605e2486fa734756abb3c0bc2f891d/lib/index.js#L41-L46

2. If the origin option is a string, Vary: Origin should not be set, since Access-Control-Allow-Origin is always the same value, and the Origin request header is ignored.

https://github.com/expressjs/cors/blob/53312a5bee605e2486fa734756abb3c0bc2f891d/lib/index.js#L47-L56