The management endpoint can be accessed from a list of allowed origins. In that case CORS relevant headers such as Access-Control-Allow-Origin: <allowed origin> are added to response.

Since the list of allowed origins is dynamic, the header Vary: Origin should be added as well. See https://www.w3.org/TR/cors/#resource-implementation.

Without the Vary header being present in the response, the client uses responses from the cache which have an origin that does not match the current origin. Consider this scenario:

1. http://localhost:3000 (client1) and http://localhost:4000 (client2) are both configured as allowed origins
2. client1 reads a resource description using http://localhost:9990/management/profile/default/subsystem/batch-jberet?operation=resource-description. Since it's a GET request the response is cached.
3. client2 reads the same resource description

Without the Vary header, client2 would use the cached response. However the origin in the cached response (http://localhost:3000) does not match the current origin (http://localhost:4000), which causes errors.