Missing Access-Control-Allow-Origin in responde header using default cors middleware config

[edg-l]

Description

I have a external frontend, and making a simple request to the register auth endpoint gives me a cors error,

> cargo loco middleware --config
2024-10-30T10:29:49.473671Z  INFO app: loco_rs::config: loading environment from selected_path="config/development.yaml" environment=development
2024-10-30T10:29:49.475446Z  WARN app: loco_rs::boot: pretty backtraces are enabled (this is great for development but has a runtime cost for production. disable with `logger.pretty_backtrace` in your config yaml) environment=development
limit_payload          {"body_limit":2000000,"enable":true}
cors                   {"allow_headers":["*"],"allow_methods":["*"],"allow_origins":["any"],"enable":true,"max_age":null,"vary":["origin","access-control-request-method","access-control-request-headers"]}
catch_panic            {"enable":true}
etag                   {"enable":true}
logger                 {"config":{"enable":true},"environment":"development"}
request_id             {"enable":true}
fallback               {"code":200,"enable":true,"file":null,"not_found":null}
powered_by             {"ident":"loco.rs"}

Making the request using fetch with mode "cors" gives me the following

Response body is not available to scripts (Reason: CORS Missing Allow Origin)

~Am i missing something or is the header missing in the response?~

Looks like the default config "allow_origins" with any doesnt actually work well, setting it to the specific origin works

Environment:

Additional Context

used loco new loco-rs = { version = "0.12.0" }

[AngelOnFira]

This is similar to #950, I'm going to see if I can make a PR to close both.