CORSPolicy does not set Access-Control-Allow-Credentials on non-OPTIONS responses (v1) #450
Description
Describe the bug
The CORSPolicy middleware only sets the Access-Control-Allow-Credentials header on OPTIONS preflight responses, and it is missing on the real response. This allows the browser to proceed with the request when credentials: "include" is set, but the script will not be allowed to read the response body as a result. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials