Fix handling of default CorsOptions.allowed_headers

[einar-hjortdal]

veb dev forgot about checking for default case

[huly-for-github]

Connected to Huly®: V_0.6-23058

[einar-hjortdal]

Accidentally fixed another bug while I was at it

[spytheman]

Please, add a test, to prevent future silent regressions.

[einar-hjortdal]

Please, add a test, to prevent future silent regressions.

I am on it.
Do you have any idea why cors_test.v and cors_2_test.v are seemingly identical?

[JalonSolov]

Weird... they are identical, except for ctx vs context in a couple of places... neither would affect the tests.

[spytheman]

vlib/veb/tests/cors_2_test.v was added in #23107 , which made sure, that if the context is passed explicitly, veb will still work, even though Alex added an edge case for implicitly passing context as an experiment (breaking compatibility with older veb apps).

TLDR: do not mind cors_2_test.v, it is unrelated, but needed to prevent regressions.
When you add your test, add it as a new file, or in cors_test.v, which uses mut ctx Context.

[einar-hjortdal]

So, the test is a WIP: I recycled some code from the other test. It looks like the app instances created with a test do not exit fast enough for the next test. However, when running them individually, these tests do pass. I don't really know how to make it work, I would like suggestions or help.

Regarding changes:
I just removed the default allowed_headers ['*']. The wildcard does not work when requests have credentials, and checking for the default needlessly complicated the logic. If a user really wants the wildcard he can just set it, to me it seems a much more obvious choice than setting a wildcard as default and expecting users to provide an empty array if they do not want a wildcard instead.

Instead of calculating the cors_safelisted_response_headers.join(',') at every request, I made it a const. No other code used that.

[einar-hjortdal]

I'm using v compiled with these changes to develop an actual application and it works as expected.