Access-Control-Allow-Credentials CORS header, used to
allow cookies with CORS requests, is not set to true
anymore by default when enabling CORS with
@CrossOrigin or global CORS configuration in order to
provide a more secured default CORS configuration.

The related allowCredentials property now requires to
be set to true explicitly in order to support cookies
with CORS requests.

Issue: SPR-16130