--- java/org/apache/catalina/filters/CorsFilter.java.orig	2017-10-12 16:48:47.426952298 -0400
+++ java/org/apache/catalina/filters/CorsFilter.java	2017-10-12 16:48:47.431952269 -0400
@@ -297,6 +297,10 @@
                     exposedHeadersString);
         }
 
+        // Indicate the response depends on the origin
+        response.addHeader(CorsFilter.REQUEST_HEADER_VARY,
+                CorsFilter.REQUEST_HEADER_ORIGIN);
+
         // Forward the request down the filter chain.
         filterChain.doFilter(request, response);
     }
@@ -998,6 +1002,13 @@
             "Access-Control-Allow-Headers";
 
     // -------------------------------------------------- CORS Request Headers
+
+    /**
+     * The Vary header indicates allows disabling proxy caching by indicating
+     * the the response depends on the origin.
+     */
+    public static final String REQUEST_HEADER_VARY = "Vary";
+
     /**
      * The Origin header indicates where the cross-origin request or preflight
      * request originates from.
--- webapps/docs/changelog.xml.orig	2017-10-12 16:48:47.428952287 -0400
+++ webapps/docs/changelog.xml	2017-10-12 16:50:08.718477877 -0400
@@ -57,6 +57,16 @@
   They eventually become mixed with the numbered issues. (I.e., numbered
   issues do not "pop up" wrt. others).
 -->
+<section name="Tomcat 7.0.76-3 (csutherl)">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        <bug>61101</bug>: CORS filter should set Vary header in response.
+        Submitted by Rick Riemer. (remm)
+      </fix>
+    </changelog>
+  </subsection>
+</section>
 <section name="Tomcat 7.0.76-2 (csutherl)">
   <subsection name="Catalina">
     <changelog>