CorsService.php is appending 'Origin' to first vary header and chopping of rest of the vary header

[SunainaDutta14]

public function varyHeader(Response $response, $header): Response
    {
        if (!$response->headers->has('Vary')) {
            $response->headers->set('Vary', $header);
        } elseif (!in_array($header, explode(', ', $response->headers->get('Vary')))) {
            $response->headers->set('Vary', $response->headers->get('Vary') . ', ' . $header);
        }

        return $response;
    }

My response object has two vary header 'Cookie', 'Referer' but instead of appending 'Origin' at the end ,above code is adding  'Origin' after first vary header and rest of the vary headers are chopped off.

Sending third parameter 'FALSE' to set function will resolves the issue.
$response->headers->set('Vary', $header, FALSE);
Can someone please look into it and provide proper way to fix?
https://www.drupal.org/project/drupal/issues/3471642
I have raised an issue in Drupal as well.

[dpagini]

It appears to me that this is best demonstrated in the 2nd screenshot. Calling $response->headers->get('Vary') is returning ONLY the first header, "Cookie", and completely dropping "Referer". Line 216 is appending a new value. The expected headers at the end of this call are "Cookie,Referer,Origin", but instead the end result is "Cookie,Origin" (dropped Referer).

[dpagini]

I think that line 215 of CorsService.php assumes that $response->headers->get('Vary') returns a string, but it seems like it can return a string or an array.

[dpagini]

Ok, looking at this more... can this code just use the $response->setVary() method instead?