For requests that set "credentials": "include" we were incorrectly returning the Access-Control-Allow-Origin header set to the wildcard *, breaking those requests.

We just rolled out a fix for this by properly responding with the matching Origin request header instead!