When using the 3rd party cookie, and tracking to piwik with AJAX, the request will (must) include the 3rd party cookie (see https://github.com/matomo-org/matomo/pull/13159 ).
It is already possible to set "cors_domains = " in config.ini.php to allow this.
However "The value of is special in that it does not allow requests to supply credentials, meaning it does not allow HTTP authentication, client-side SSL certificates, or cookies to be sent in the cross-domain request." (see https://en.wikipedia.org/wiki/Cross-origin_resource_sharing ).
Thus this change avoids the "*" value and also adds the 'Vary: Origin' header.