Feature Request

Is your feature request related to a problem? Please describe.

The app we're developing uses a frontend that is hosted on a separate sub-domain from our Loco-based backend. In some QA environments, these are even hosted on entirely different domains (think auto-generated preview URLs like vercel, cloudflare pages, etc).

To support session cookie-based auth, we currently use a custom tower_http::CorsLayer middleware that applies different CORS policies per environment. Since we cannot use Access-Control-Allow-Credentials: true with Access-Control-Allow-Origins: * together, but can utilize tower_http::CorsLayer::very_permissive, it would be great if we could support this the Loco middleware to remove this custom code.

Describe the solution you'd like

A config option for the CORS middleware to enable the (dangerous) very_permissive CORS setting. This setting is quite insecure, so should definitely be identified as such in whatever setting its exposed as.

A very permissive configuration:

Credentials allowed.
The method received in Access-Control-Request-Method is sent back as an allowed method.
The origin of the preflight request is sent back as an allowed origin.
The header names received in Access-Control-Request-Headers are sent back as allowed headers.
No headers are currently exposed, but this may change in the future.

Describe alternatives you've considered

Keep using our custom middleware, disabling Loco's CORS setting.