plugins/staticheaders: Add a `Vary: Cookie` header by default

[empijei]

This is important for XSRF double-submit cookies and for other potential non-security related breakages.

Note: we cannot claim Vary but we should just add the value.

[kele]

MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Vary.

I agree that for now we should add the value to the Vary header, but we might consider actually having a separate plugin to control Vary (or other headers like the ones for Cookies) and expose safe mutators.

[empijei]

Vary should probably be treated in a append-only way, and we might want to even consider adding this to the framework rather than try to have a plugin that is shared across multiple plugins.

[kele]

The issue with having this in the core of the framework rather than a plugin is harder migration, because we usually don't offer opt-outs from core features. That being said, I'm not sure it's a big concern.

I'd be in favor of having a separate API for dealing with the Vary header, similarly to how we have a separate one for cookies.

[empijei]

What is the alternative? Add a generic way to support append-only headers?

[kele]

EDIT: Nevermind, I misremembered what was in this thread.

Anyway, it seems that @empijei is in favor of adding it to the core of the framework too. Up for grabs. ;)