Add support for using a function to determine whether or not to allow credentials.

[mcohen75]

In some scenarios it's useful to allow credentials for certain domains but disallow credentials for others. For example, for a small set of trusted domains, sending credentials can allow authentication via cookies. Computing this via a function makes it possible to allow other non-trusted domains to still make cross-origin requests, but without credentials.

To enable this:

1. Added a test to confirm the default behavior of the credentials option. When unset the Access-Control-Allow-Credentials response header is not sent.
2. When options.credentials is a function, invoke the function to determine the value of the credentials option.
3. When an options.credentials function returns a Promise, await the promise.
4. When options.credentials is not a function, coerce the value into a boolean as before.

I also made a small change to the documentation to make clear that a function can now be provided.

[mcohen75]

@fengmk2 @dead-horse is this something that you'd be willing to consider incorporating?

[dead-horse]

sorry for the delay. LGTM. :)