Using CORS in Drupal 8 with Varnish may lack some Access-Control-Allow-* headers