While in the previous versions of this feature we actually only provided true in the CORS AllowCredentials field as of #3895 we can also provide false
we'll need to add a test that makes sure that setting it to false actually omits it (in the gateway implementation itself), just out of thought that maybe existing implementations take the value (if exists), that in the past could have only been true