Add Access-Control-Allow-Credentials

[RossJHagan]

Hopefully completes the TODO. Apologies if there's something I've missed in the spec, but it seems to have boiled down to the conditions:

1. Only set if there is there a valid request origin, that matches a specific allowed origin (never set for Origin *)
2. Only set the credentials header with the value 'true', otherwise just don't set the header.