CORS when no Origin

[adsko]

Hello,

When CORS Middleware do handle a request, there is a check, if Origin is None:

        if origin is None:
            await self.app(scope, receive, send)
            return

Based on #810 MDN informs Origin need to set in order to return correct headers but I can not find an information that it's a requirement. Only that the browser will send it when CORS request.

To be precise, it is a little bit problematic when your application is behind some kind of cache layer, like CDN. In that case, when you do enter site with GET request (simple page open in the browser), Origin is not set and the layer do cache missing CORS headers.

Based on this, I hope we can:

• Force CORS, even when no Origin header
• Add Vary header, when no Origin header. That way, most cache layers should cache the response properly.