default config of origin: * and credentials: true seems invalid?

[robacarp]

Hey there, I'm not sure of the status of your plug here, hopefully you're still around. Thanks for your time on this library.

I ran into a small issue with the default config. If you don't consider this a bug, perhaps this paper trail will be helpful for some other future traveler.

When creating a request in browser-land javascript, like this:

fetch(url, {
   credentials: true,
   mode: "cors"
})

By default CORSPlug gives an invalid response:

access-control-allow-origin: *
access-control-allow-credentials: true
[...]

Firefox fails with an ambiguous "null" and Chrome shows the message:

Access to fetch at '[url]' from origin '[other url]' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.

The MDN Article on Access-Control-Allow-Origin explains further:

For requests without credentials, the literal value "*" can be specified as a wildcard; the value tells browsers to allow requesting code from any origin to access the resource. Attempting to use the wildcard with credentials results in an error.

A behavior I have seen elsewhere is that when the origin is specified as '*', credentials is disabled. In that case, it's silently disabled, which bit me in a different way.