veb cors middleware does not add Access-Control-Allow-Credentials header

[einar-hjortdal]

Describe the bug

The allow-credentials: true option does not set the Access-Control-Allow-Credentials header on responses with methods other than .option.
Evidence shows that it only adds Access-Control-Allow-Credentials when the request is an options method.
My browser (chrome/edge) is requiring that on get methods too. I can't test nor verify which other methods require these headers at this time, but it is clear get needs them.

Reproduction Steps

Register middleware

	app.use(veb.cors[Context](veb.CorsOptions{
		origins:           [os.getenv(frontend_url)]
		allow_credentials: true
		allowed_methods:   [http.Method.get, http.Method.post, http.Method.delete]
	}))

Perform get request with credentials: include

const response = await fetch("/veb/endpoint", { credentials: "include" });

Header is missing

HTTP/1.1 500 Internal Server Error
Access-Control-Allow-Origin: http://localhost:8081
Vary: Origin, Access-Control-Request-Headers
Content-Type: application/json
Content-Length: 89
Server: veb

chrome errors

Access to fetch at 'http://localhost:8080/veb/endoint' from origin 'http://localhost:8081' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'.

Expected Behavior

Access-Control-Allow-Credentials should be set when browsers expect it.

Current Behavior

Access-Control-Allow-Credentials is not set when browser needs it

Possible Solution

No response

Additional Information/Context

No response

V version

V 0.4.10 0628bf3

Environment details (OS name and version, etc.)

|V full version      |V 0.4.10 464e2973511a9090c6e70a0f53ec5b74aabbffcb.0628bf3
|:-------------------|:-------------------
|OS                  |linux, "openmamba release 2025.5 for x86_64 (rolling)"
|Processor           |8 cpus, 64bit, little endian, Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz
|Memory              |8.83GB/31.16GB
|                    |
|V executable        |/home/einar/.local/lib64/v/v
|V last modified time|2025-06-11 14:26:41
|                    |
|V home dir          |OK, value: /home/einar/.local/lib64/v
|VMODULES            |OK, value: /home/einar/.vmodules
|VTMP                |OK, value: /tmp/v_1000
|Current working dir |OK, value: /home/einar/Documents/projects/vlang/active/peony
|                    |
|Git version         |git version 2.49.0
|V git status        |weekly.2025.22-81-g0628bf32
|.git/config present |true
|                    |
|cc version          |cc (GCC) 15.1.1 20250606
|gcc version         |gcc (GCC) 15.1.1 20250606
|clang version       |N/A
|tcc version         |tcc version 0.9.28rc 2025-02-13 HEAD@f8bd136d (x86_64 Linux)
|tcc git status      |thirdparty-linux-amd64 696c1d84
|emcc version        |N/A
|glibc version       |ldd (GNU libc) 2.41

Note

You can use the 👍 reaction to increase the issue's priority for developers.

Please note that only the 👍 reaction to the issue itself counts as a vote.
Other reactions and those to comments will not be taken into account.

[huly-for-github]

Connected to Huly®: V_0.6-23054

[einar-hjortdal]

A quick google search shows me that browsers expect Access-Control-Allow-Credentials set to true with all http methods whenever credentials are included in the request (not just on options method).

[einar-hjortdal]

Fix was merged