Multiple origin caching CORS issue

Currently being logged in at two different origins accessing the API with etags results in CORS errors in both Chrome and Firefox (but they show different errors..)

I have a suspicion that this is an Apache bug which wrongly strips CORS headers from 304 responses, but I'm not sure:

https://bz.apache.org/bugzilla/show_bug.cgi?id=51223
https://bugzilla.mozilla.org/show_bug.cgi?id=1311566
https://github.com/web-platform-tests/wpt/pull/5005

I've tried a workaround in 0564a239, but we can only test this in production.

The errors from both browser are confusing:

Chrome hides the 304 response and shows a 200 cached response with the wrong CORS header. This makes no sense since we send Vary: Origin, so it shouldn't use the cache (???) -> this might explain it: https://lists.w3.org/Archives/Public/www-archive/2017Aug/0000.html
Firefox shows a 304 without any CORS headers and then complains that CORS origin doesn't match, but there is no origin.. so maybe it also uses the cached version in the background.

Edited Oct 21, 2021 by Reiter, Christoph